01-09-2012 05:57 AM - edited 03-07-2019 04:14 AM
Hey all,
I'm looking to implement a vlan filter to keep unnecessary stuff off my access-layer. Things like IPv6, IPX etc. I really only want IPv4, ARP and 802.1q on these 4500s. I know on 3750, 3560s etc, when I create the mac access-list, I can do it by ethertype, but on the 4500, I dont have that option.
4th_floor(config)#mac access-list extended Drop-traffic
4th_floor(config-ext-macl)#permit any any ?
protocol-family An Ethernet protocol family
<cr>
4th_floor(config-ext-macl)#permit any any protocol-family ?
appletalk
arp-non-ipv4
decnet
ipx
ipv6
rarp-ipv4
rarp-non-ipv4
vines
xns
4th_floor(config-ext-macl)#permit any any protocol-family arp-non-ipv4
4th_floor(config-ext-macl)#
Is it safe to assume, if I do a permit on arp-non-ipv4, that arp and IPv4 traffic will function properly and other protocols will be dropped? I dont see any specific command to PERMIT IPv4.
vlan access-map filter 10
action forward
match mac address Drop-traffic
vlan access-map filter 20
action drop
01-09-2012 07:06 AM
Is it safe to assume, if I do a permit on arp-non-ipv4, that arp and IPv4 traffic will function properly and other protocols will be dropped? I dont see any specific command to PERMIT IPv4.
that is correct. Mac ACL on 4500 can only block non-IP traffic, so there is no risk to block any IP packet (ASIC check for ethertype - 0x0800 is never filtered by mac acls).
This is why you son't see any specific command for ipv4.
Regarding arp for ipv4 this is not blocked by any ACL on this box per BU design.
There is a documentation bug which reports that:
"CSCeh89983 mac acl does not block arp packet
ARP packets cannot be intercepted on a Catalyst 4000/4500 switch using
any type of ACL configurations - port vlan acls, port acls, vlan acls or
router acls. This behavior is by design and is not a caveat."
please rate and close question if helpful
regards,
Riccardo
01-09-2012 07:14 AM
Thanks for your reply.
I put in the example I included above and lost connectivity. I did this:
Vlan access-map "drop-things" 10
Match clauses:
mac address: Drop-traffic
Action:
forward
Vlan access-map "drop-things" 20
Match clauses:
ip address: Allow-V4
Action:
forward
Vlan access-map "drop-things" 30
Match clauses:
Action:
drop
mac access-list extended Drop-traffic
permit any any protocol-family arp-non-ipv4
ip access-list extended Allow-V4
permit ip any any
After including the access-list that's permit ip any any, i reestablished connectivity to the VLAN I applied it to. Also, I had an IPv6 ping running, once I applied the ACL, IPv6 quit working (as desired).
01-09-2012 07:53 AM
Hi there,
sorry I did not read your entire config completely.
What is wrote is still valid, the connectivity issue you saw is due to the 'reverse' logic you applied to your vlan maps (called vacl on other platforms). My answer applies specifically to the mac acl and not to the logic applied by the switch when a mac acl is tied to a vacl. In other words what I wrote applies to the MAC acl only, but when you configure a vlan map which include IP and MAC ACLs you need to pay attention to the vlan map logic itself too.
you configured
vlan access-map filter 10
action forward
match mac address Drop-traffic
vlan access-map filter 20
action drop
Basically with this vlan map you get the opposite result as you forward anything defined in Drop-traffic (action is forward) while you drop all the rest with sequence 20, which is dropping what is not matched on sequence 10.
proper syntax would have been
vlan access-map filter 10
action drop
match mac address Drop-traffic
vlan access-map filter 20
action forward (which is the default)
With this you would have filtered arp-non-ipv4 traffic and forwarded the rest, INCLUDED the ipv6 traffic.
To also filter ipv6 traffic you would have to add a sequence dropping it specifically before the final forward any any.
The logic is the following:
"If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the type, the default is to drop the packet. If there is no match clause in the VLAN map for that type of packet, and no action specified, the packet is forwarded."
With your final config what you get is the following instead
Vlan access-map "drop-things" 10
Match clauses:
mac address: Drop-traffic
Action:
forward
you allow arp-non-ipv4 traffic
Vlan access-map "drop-things" 20
Match clauses:
ip address: Allow-V4
Action:
forward
you allow IP traffic
Vlan access-map "drop-things" 30
Match clauses:
Action:
drop
you drop all the rest (IPv6 included).
Is this what you need?
Riccardo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide