Just a couple more things to have in mind before getting into an example.
- IP Packets can only be processed by IP Access-Lists;
- Non-IP Packets like ARP, MAC-Addresses, and others can only be processed by MAC Access-Lists.
The MAC Access-Lists will bring all the interesting issues to the table... just check it out!
Let´s suppose for example you have two computers one with MAC Address 000b.dc24.ca47 and the second with the MAC Address 000b.dc25.cb51, both connected to VLAN7, and you want to allow all "non-IP" frames sourced from those two MAC Addresses to be forward anywhere, and also allowing only ICMP for example, denying everything else!
So, we have two different requirements there...
- Forward all "non-IP" frames sourced from those two specific MAC Addresses; That requires a MAC Access-List.
- Permit only ICMP, denying everyting else. That requires an IP Access-List (the one we´re all used to).
Ok, so let´s create our MAC Access-List:
| mac access-list extended AllowThose permit 000b.dc24.ca47 any permit 000b.dc25.cb51 any |
That will handle the first requirement.
Now the second one IP Access-List allowing ICMP and denying everything else:
| access-list 101 permit icmp any any |
Ok! Now, we need to create the VACL (or VLAN Maps, which one you preffer to call it) applying those rules:
| vlan access-map Filter-VL7 10 action forward match mac address AllowThose ! vlan access-map Filter-VL7 20 action forward match ip address 101 ! vlan access-map Filter-VL7 30 action drop |
Now it looks ok, right?! Time to apply it to VLAN7 ?! What do you think about?! Let´s try?!
| vlan filter Filter-VL7 vlan-list 7 |
Now testing! See if you can ping! Not working?! Hmmm... interesting... but why?! Well... I told... The MAC Access-List would bring all the interesting issues to the table! And, in fact, it did! It´s allowing only those two MAC Address and nothing else! How about ARP?! Do we need it to make things work?! Of course we do! And that´s where we have most confusion! Just keep in mind, the end of an Access-List is always deny any any! So if there are no matching instances for ARP in the MAC Access-List, it´ll be dropped!
How to fix it?! Simple, allow it in the MAC Access-List:
| permit any any 0x0806 0x0000 permit any any lsap 0xAAAA 0x0000 |
But wait a minute! What´s that 0x0806 and lsap 0xAAAA ?! That´s the Ethertypes we´re allowing in our MAC Access-List, first one (0x806) is ARP, and the second one (lsap 0xAAAA) is PVST+. You do not want your switch running unprotected from loops right?! So it´s better to allow it!
For the sake of simplicity, the full configuration would be this one:
| mac access-list extended AllowThose permit 000b.dc24.ca47 any permit 000b.dc25.cb51 any permit any any 0x0806 0x0000 permit any any lsap 0xAAAA 0x0000 ! access-list 101 permit icmp any any ! vlan access-map Filter-VL7 10 action forward match mac address AllowThose ! vlan access-map Filter-VL7 20 action forward match ip address 101 ! vlan access-map Filter-VL7 30 action drop ! vlan filter Filter-VL7 vlan-list 7 |
The most common Ethertypes are: (and probably the ones asked in the LAB)
- 0x0806 = ARP
- lsap 0xAAAA = PVST+
- 0x4242 = STP and PVST
- 0x86DD = IPv6
Again... we need to understand all the little pieces involved in a particular task, and remember about the basics, OSI Model, ARP, and so on! It´s not difficult, but it´s a little confusing at the first time! Just go ahead, drink some watter (I did it several times) come back again, read over, and try some scenarios yourself, don´t have equipment?! Try it on Notepad, just try some, compare with the example, and you´ll see how easy it can be! The best way to learn is trying it yourself! ;)
http://cauew.blogspot.com/2008/08/vacl-vlan-maps-mac-acl.html
No comments:
Post a Comment