Comments on: Security: Common Ethertypes in Vlan Access Maps http://ardenpackeer.com/security/security-common-ethertypes-in-vlan-access-maps/ Helping You Become a Network Ninja Fri, 19 Mar 2010 22:04:51 -0600 http://wordpress.org/?v=2.8.4 hourly 1 By: Arden Packeer, CCIE #20716 http://ardenpackeer.com/security/security-common-ethertypes-in-vlan-access-maps/comment-page-1/#comment-898 Arden Packeer, CCIE #20716 Wed, 11 Jun 2008 19:54:58 +0000 http://ardenpackeer.com/blog/security-common-ethertypes-in-vlan-access-maps/#comment-898 Hi Sharath, Thanks for the correction. I have updated the article. Hi Sharath,

Thanks for the correction. I have updated the article.

]]> By: Sharath http://ardenpackeer.com/security/security-common-ethertypes-in-vlan-access-maps/comment-page-1/#comment-897 Sharath Wed, 11 Jun 2008 19:15:50 +0000 http://ardenpackeer.com/blog/security-common-ethertypes-in-vlan-access-maps/#comment-897 Hello Arden, The CAT 3550 and 3560 switches process IP Packets in a different way than the non-IP Packets. So it is Mandatory to use IP access-list. "In the example above we are using an ip access-list to match ip traffic, but we could have also used a mac access-list to do this" We cannot use a MAC access-list to allow IP Packets. Sharath Hello Arden,

The CAT 3550 and 3560 switches process IP Packets in a different way than the non-IP Packets. So it is Mandatory to use IP access-list.

“In the example above we are using an ip access-list to match ip traffic, but we could have also used a mac access-list to do this”

We cannot use a MAC access-list to allow IP Packets.

Sharath

]]> By: Sharath Samanth http://ardenpackeer.com/security/security-common-ethertypes-in-vlan-access-maps/comment-page-1/#comment-884 Sharath Samanth Sat, 07 Jun 2008 19:22:29 +0000 http://ardenpackeer.com/blog/security-common-ethertypes-in-vlan-access-maps/#comment-884 Hi Arden, This was a really helpful guide on Ether Types. But I am really facing some strange issues. Objective: I am trying to make vlan 1 an IP only VLAN. Configuration: I have configured the following MAC ACLs. mac access-list extended IEEE_STP permit any any lsap 0x4242 0x0 mac access-list extended IPARP permit any any 0x806 0x0 mac access-list extended IPV4 permit any any 0x800 0x0 The following is the VLAN Access Map vlan access-map P2F 10 action forward match mac address IEEE_STP vlan access-map P2F 11 action forward match mac address IPV4 vlan access-map P2F 12 action forward match mac address IPARP vlan access-map P2F 20 action drop ! vlan filter P2F vlan-list 1 The VLAN1 SVI is also configured with an IPV4 and IPV6 address. interface Vlan1 ip address 192.168.1.7 255.255.255.0 no ip route-cache ipv6 address 2001:210:10:1::3/64 ipv6 enable end Problem: Unable to ping IPV4 hosts connected to the Switch. 3560#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) 3560#ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) The ARP Cache in the Switch is populated with correct MAC addresses. 3560#sh ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.1.9 8 0016.d3e5.d3cb ARPA Vlan1 Internet 192.168.1.1 1 cc00.1da0.0000 ARPA Vlan1 Internet 192.168.1.2 1 cc01.1da0.0000 ARPA Vlan1 Internet 192.168.1.7 - 001a.e3b5.0140 ARPA Vlan1 What is surprising me is I can ping the IPV6 address without any issues. 3560#ping ipv6 2001:210:10:1::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:210:10:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/17 ms 3560#ping ipv6 2001:210:10:1::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:210:10:1::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/13/33 ms Why is the sequence #20 in the VLAN access-map not droping the IPV6 frames. I also configured an explicit drop sequence matching the 0x86DD but nothing changes. The Software image of the 3560 switch is: System image file is "flash:c3560-advipservicesk9-mz.122-44.SE2.bin" Please let me know what am I missing in the configuration? Thanks in Advance Sharath Hi Arden,

This was a really helpful guide on Ether Types. But I am really facing some strange issues.

Objective:
I am trying to make vlan 1 an IP only VLAN.

Configuration:
I have configured the following MAC ACLs.

mac access-list extended IEEE_STP
permit any any lsap 0×4242 0×0

mac access-list extended IPARP
permit any any 0×806 0×0

mac access-list extended IPV4
permit any any 0×800 0×0

The following is the VLAN Access Map

vlan access-map P2F 10
action forward
match mac address IEEE_STP
vlan access-map P2F 11
action forward
match mac address IPV4
vlan access-map P2F 12
action forward
match mac address IPARP
vlan access-map P2F 20
action drop
!
vlan filter P2F vlan-list 1

The VLAN1 SVI is also configured with an IPV4 and IPV6 address.

interface Vlan1
ip address 192.168.1.7 255.255.255.0
no ip route-cache
ipv6 address 2001:210:10:1::3/64
ipv6 enable
end

Problem:
Unable to ping IPV4 hosts connected to the Switch.

3560#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
3560#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

The ARP Cache in the Switch is populated with correct MAC addresses.

3560#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.9 8 0016.d3e5.d3cb ARPA Vlan1
Internet 192.168.1.1 1 cc00.1da0.0000 ARPA Vlan1
Internet 192.168.1.2 1 cc01.1da0.0000 ARPA Vlan1
Internet 192.168.1.7 – 001a.e3b5.0140 ARPA Vlan1

What is surprising me is I can ping the IPV6 address without any issues.

3560#ping ipv6 2001:210:10:1::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:210:10:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/17 ms
3560#ping ipv6 2001:210:10:1::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:210:10:1::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/13/33 ms

Why is the sequence #20 in the VLAN access-map not droping the IPV6 frames.
I also configured an explicit drop sequence matching the 0×86DD but nothing changes.

The Software image of the 3560 switch is:
System image file is “flash:c3560-advipservicesk9-mz.122-44.SE2.bin”

Please let me know what am I missing in the configuration?

Thanks in Advance
Sharath

]]>