From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Wed Mar 25 2009 - 09:56:44 ART
This is not the case on a 2950 running 12.1(22)EA12.
Same config, flow is catched (and denied).
So I stand surprised :)
Pavel Bykov @ 25/03/2009 9:49 -0200 dixit:
> Switches do interprent QinQ as non-ip traffic, so i'm not sure what
> packet structure is required for MAC access-list to become active.
> The only thing I can confirm, is that while labbing one (didn't use MAC
> ACL in production) mock lab from IE, there was a task to restrict a
> certain flow. So I created a MAC ACL on 3560, and the traffic flowed
> right through it. Also, in the lab solution this was mentioned.
>
> So to elaborate: If you create a MAC access-list, matching some MAC and
> denying it, and apply this MAC ACL on an interface (not SVI) in MODE
> ACCESS, the traffic will flow through. This is my lab experience and it
> was in line with documentation.
>
>
> On Wed, Mar 25, 2009 at 12:18 PM, Carlos G Mendioroz <tron@huapi.ba.ar
> <mailto:tron@huapi.ba.ar>> wrote:
>
> Hmmm, that's not the way I see it.
>
> The link says:
> Use the mac access-list extended global configuration command to
> create an access list based on MAC addresses for non-IP traffic.
>
> which I read as:
> Given that in non IP traffic you have no way to apply IP based lists,
> you may use mac based list to do something.
>
> But this does by no mean imply that it ONLY works on non IP traffic.
> And in fact it does work on IP traffic at least on a 2950.
> (Don't have a 3560 to test handy, but it would surprise me if it behaved
> differently)
>
> -Carlos
>
>
>
> Pavel Bykov @ 24/03/2009 21:47 -0200 dixit:
> > One of the very important things to consider, is that MAC access-list
> > applies ONLY to non-ip traffic:
> >
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/command/reference/cli1.html#wp9666484
> >
> >
> > On Sat, Mar 21, 2009 at 8:24 PM, Raghav Bhargava
> <raghavbhargava12@gmail.com <mailto:raghavbhargava12@gmail.com>
> >> wrote:
> >
> >> Hi Bhuvanesh,
> >> MAC Access List are applied for L2 Traffic whereas IP Access-list is
> >> applied
> >> for L3 Traffic. If you have both applied on your switch
> Mac-Access list
> >> takes precedence over Ip access list.
> >>
> >> regards
> >> raghav
> >>
> >> On Sat, Mar 21, 2009 at 12:49 AM, Bhuvanesh Rajput
> <ashu2084@gmail.com <mailto:ashu2084@gmail.com>
> >>> wrote:
> >>> Hi guys,
> >>>
> >>> Please through some light on my doubts.........
> >>>
> >>> a>> on the switch, when/where (l2 interface / vlan) can we use mac
> >>> address-list, ip access-list and vlan map.?
> >>>
> >>> b>>can we apply mac access-list , ip access-list and vlan map
> >>> altogether on a sigle L2 interface /vlan (svi)?
> >>>
> >>> c>>in which direction mac access-list take precedence when ip
> >>> access-list and vlan map also configured on the interface/vlan.
> >>>
> >>> d>> if all three applied on the l2 interface/vlan(svi) then what
> >>> would be the execution sequence??
> >>>
> >>> Cheers!
> >>> Bhuvanesh
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >> --
> >> Warm Regards
> >> Raghav
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >>
> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
>
> --
> Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> LW7 EQI Argentina
>
>
>
>
> --
> Pavel Bykov
> ----------------
> Don't forget to help stopping the braindumps, use of which reduces value
> of your certifications. Sign the petition at http://www.stopbraindumps.com/
-- Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI ArgentinaBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:07 ART