Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bronze

4500 and Mac Access-list

Hey all,

I'm looking to implement a vlan filter to keep unnecessary stuff off my access-layer. Things like IPv6, IPX etc. I really only want IPv4, ARP and 802.1q on these 4500s. I know on 3750, 3560s etc, when I create the mac access-list, I can do it by ethertype, but on the 4500, I dont have that option.

4th_floor(config)#mac access-list extended Drop-traffic

4th_floor(config-ext-macl)#permit any any ?

  protocol-family  An Ethernet protocol family

  <cr>

4th_floor(config-ext-macl)#permit any any protocol-family ?

  appletalk

  arp-non-ipv4

  decnet

  ipx

  ipv6

  rarp-ipv4

  rarp-non-ipv4

  vines

  xns

4th_floor(config-ext-macl)#permit any any protocol-family arp-non-ipv4

4th_floor(config-ext-macl)#

Is it safe to assume, if I do a permit on arp-non-ipv4, that arp and IPv4 traffic will function properly and other protocols will be dropped? I dont see any specific command to PERMIT IPv4.

vlan access-map filter 10

action forward

match mac address Drop-traffic

vlan access-map filter 20

action drop

3 REPLIES
Cisco Employee

Re: 4500 and Mac Access-list

Is it safe to assume, if I do a permit on arp-non-ipv4, that arp and IPv4 traffic will function properly and other protocols  will be dropped? I dont see any specific command to PERMIT IPv4.

that is correct. Mac ACL on 4500 can only block non-IP traffic, so there is no risk to block any IP packet (ASIC check for ethertype - 0x0800 is never filtered by mac acls).

This is why you son't see any specific command for ipv4.

Regarding arp for ipv4 this is not blocked by any ACL on this box per BU design.

There is a documentation bug which reports that:

"CSCeh89983    mac acl does not block arp packet

ARP packets cannot be intercepted on a Catalyst 4000/4500 switch using

any type of ACL configurations - port vlan acls, port acls, vlan acls or

router acls.  This behavior is by design and is not a caveat."

please rate and close question if helpful

regards,

Riccardo

Bronze

Re: 4500 and Mac Access-list

Thanks for your reply.

I put in the example I included above and lost connectivity. I did this:

Vlan access-map "drop-things"  10

  Match clauses:

    mac address: Drop-traffic

  Action:

    forward

Vlan access-map "drop-things"  20

  Match clauses:

    ip  address: Allow-V4

  Action:

    forward

Vlan access-map "drop-things"  30

  Match clauses:

  Action:

    drop

mac access-list extended Drop-traffic

permit any any protocol-family arp-non-ipv4

ip access-list extended Allow-V4

permit ip any any

After including the access-list that's permit ip any any, i reestablished connectivity to the VLAN I applied it to. Also, I had an IPv6 ping running, once I applied the ACL, IPv6 quit working (as desired).

Cisco Employee

Re: 4500 and Mac Access-list

Hi there,

sorry I did not read your entire config completely.

What is wrote is still valid, the connectivity issue you saw is due to the 'reverse' logic you applied to your vlan maps (called vacl on other platforms). My answer applies specifically to the mac acl and not to the logic applied by the switch when a mac acl is tied to a vacl. In other words what I wrote applies to the MAC acl only, but when you configure a vlan map which include IP and MAC ACLs you need to pay attention to the vlan map logic itself too.

you configured

vlan access-map filter 10

action forward

match mac address Drop-traffic

vlan access-map filter 20

action drop

Basically with this vlan map you get the opposite result as you forward anything defined in Drop-traffic (action is forward) while you drop all the rest with sequence 20, which is dropping what is not matched on sequence 10.

proper syntax would have been

vlan access-map filter 10

action drop

match mac address Drop-traffic

vlan access-map filter 20

action forward  (which is the default)

With this you would have filtered arp-non-ipv4 traffic and forwarded the rest, INCLUDED the ipv6 traffic.

To also filter ipv6 traffic you would have to add a sequence dropping it specifically before the final forward any any.

The logic is the following:

"If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the type, the default is to drop the packet. If there is no match clause in the VLAN map for that type of packet, and no action specified, the packet is forwarded."

With your final config what you get is the following instead

Vlan access-map "drop-things"  10

  Match clauses:

    mac address: Drop-traffic

  Action:

    forward

you allow arp-non-ipv4 traffic

Vlan access-map "drop-things"  20

  Match clauses:

    ip  address: Allow-V4

  Action:

    forward

you allow IP traffic

Vlan access-map "drop-things"  30

  Match clauses:

  Action:

    drop

you drop all the rest (IPv6 included).

Is this what you need?

Riccardo

654
Views
0
Helpful
3
Replies
CreatePlease to create content