Here some info that I found on Cisco.com on configuration gudes for Catalyst6500 series and Catalyst3750 switches.
1.1 All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN maps.
1.2 IP traffic is not access controlled by MAC VLAN maps with matching Ethertype 0x0800
2.1 Each VLAN access map can consist of one or more map sequences; each sequence has a match clause and an action clause. The match clause specifies IP or MAC ACLs for particular type traffic filtering and the action clause specifies the action to be taken when a match occurs.
3.1 When a flow matches a permit ACL entry, the associated action is taken and the flow is not checked against the remaining sequences.
3.2 When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence of VLAN map.
4.1 If there is a match clause for that type of packet (IP or MAC) in the VLAN map, the default action is to drop the packet if the packet does not match any of the entries within the map.
4.2 If there is no match clause for that type of packet (no "match ip address" or no "match mac address" command in any clause), the default is to forward the packet.
5.1 VACLs have an implicit deny at the end of the map.
6.1 If an empty or undefined ACL is specified in a VACL, any packets will match the ACL, and the associated action is taken.
-It means you can specify any VLAN map clause without specifyed ACL, but with specifyed action, all traffic that meet this clause will be forwarded.
7.1 You can enforce VLAN maps only on packets going through the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch.
-It means you can not filter traffic that generates two neighboring switches such as CDP/VTP/DTP/PAGP
Topology for our little lab:
1.1 All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN maps.
1.2 IP traffic is not access controlled by MAC VLAN maps with matching Ethertype 0x0800
2.1 Each VLAN access map can consist of one or more map sequences; each sequence has a match clause and an action clause. The match clause specifies IP or MAC ACLs for particular type traffic filtering and the action clause specifies the action to be taken when a match occurs.
3.1 When a flow matches a permit ACL entry, the associated action is taken and the flow is not checked against the remaining sequences.
3.2 When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence of VLAN map.
4.1 If there is a match clause for that type of packet (IP or MAC) in the VLAN map, the default action is to drop the packet if the packet does not match any of the entries within the map.
4.2 If there is no match clause for that type of packet (no "match ip address" or no "match mac address" command in any clause), the default is to forward the packet.
5.1 VACLs have an implicit deny at the end of the map.
6.1 If an empty or undefined ACL is specified in a VACL, any packets will match the ACL, and the associated action is taken.
-It means you can specify any VLAN map clause without specifyed ACL, but with specifyed action, all traffic that meet this clause will be forwarded.
7.1 You can enforce VLAN maps only on packets going through the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch.
-It means you can not filter traffic that generates two neighboring switches such as CDP/VTP/DTP/PAGP
Topology for our little lab:
Let's test connectivity from R2
Connectivity test_1:
R2#ping 10.1.1.1
!!!!!
R2#ping 172.20.1.1
!!!!!
R2#ping 172.20.2.1
!!!!!
R2#ping 172.20.3.1
!!!!!
We begin our lab from configuring necessary ACLs:
Empty MAC and IP ACLc:
SWITCH_2(config)#mac access-list ex MAC_EMPTY
SWITCH_2(config)#ip access-list extended IP_EMPTY
MAC ACL for matching ARP packet
SWITCH_2(config)#mac access-list extended ALL_ARP
SWITCH_2(config-ext-macl)#permit any any 0x806 0x0
IP acl for matching R1's IP addresses
SWITCH_2(config)#ip access-list extended R1_IP
SWITCH_2(config-ext-nacl)#10 permit ip 172.20.3.0 0.0.0.255 any
SWITCH_2(config-ext-nacl)#20 permit ip 10.0.0.0 0.255.255.255 any
SWITCH_2(config-ext-nacl)#30 permit ip 172.20.2.0 0.0.0.255 any
SWITCH_2(config-ext-nacl)#40 deny ip 172.20.1.0 0.0.0.255 any
Verify created ACL's:
SWITCH_2(config)#do sh access-list
Extended IP access list IP_EMPTY
Extended IP access list R1_IP
10 permit ip 172.20.3.0 0.0.0.255 any
20 permit ip 10.0.0.0 0.255.255.255 any
30 permit ip 172.20.2.0 0.0.0.255 any
40 deny ip 172.20.1.0 0.0.0.255 any
Extended MAC access list ALL_ARP
permit any any 0x806 0x0
Extended MAC access list MAC_EMPTY
Ther is no any filters on VLAN 12 (see topology):
SWITCH_2(config)#do sh vlan filter
SWITCH_2(config)#
Configure VLAN map as written in 2.1
Configure VLAN map TEST-MAP without any ACL and actions and apply this map to VLAN12:
SWITCH_2(config)#vlan access-map TEST-MAP ?
<0-65535> Sequence to insert to/delete from existing vlan access-map entry
<cr>
SWITCH_2(config)#vlan access-map TEST-MAP 10
SWITCH_2(config-access-map)#exit
SWITCH_2(config)#vlan filter TEST-MAP vlan-list 12
SWITCH_2(config)#end
Verify applyed VLAN map on a VLAN12
SWITCH_2#sh vlan filter
VLAN Map TEST-MAP is filtering VLANs:
12
SWITCH_2#
SWITCH_2#sh vlan access-map
Vlan access-map "TEST-MAP" 10
Match clauses:
Action:
forward
SWITCH_2#
As you can see above - the default action is "forward" (see 6.1)
Connectivity test_2:
Let's test connectivity from R2:
R2#ping 10.1.1.1
!!!!!
R2#ping 172.20.1.1
!!!!!
R2#ping 172.20.2.1
!!!!!
R2#ping 172.20.3.1
!!!!!
Now apply only empty MAC ACL to clause 10 of our VLAN map:
SWITCH_2(config)#vlan access-map TEST-MAP 10
SWITCH_2(config-access-map)#match mac address MAC_EMPTY
SWITCH_2(config-access-map)#exit
SWITCH_2(config)#do sh vlan access TEST-MAP
Vlan access-map "TEST-MAP" 10
Match clauses:
mac address: MAC_EMPTY
Action:
forward
Connectivity test_3:
R2#ping 10.1.1.1
!!!!!
R2#ping 172.20.1.1
!!!!!
R2#ping 172.20.2.1
!!!!!
R2#ping 172.20.3.1
!!!!!
As show us connectivity test_3 empty MAC ACL doesnt filter any taaffic (see 6.1 ACL MAC_EMPTY)
Let's add to our VLAN map MAC ACL matching ARPs:
SWITCH_2#conf t
SWITCH_2(config)#vlan access-map TEST-MAP 9
SWITCH_2(config-access-map)#match mac address ALL_ARP
SWITCH_2(config-access-map)#action drop
SWITCH_2(config-access-map)#exit
SWITCH_2(config)#do sh vlan access-map
Vlan access-map "TEST-MAP" 9
Match clauses:
mac address: ALL_ARP
Action:
drop
Vlan access-map "TEST-MAP" 10
Match clauses:
mac address: MAC_EMPTY
Action:
forward
Connectivity test_4:
R2#ping 10.1.1.1
!!!!!
Look at the ARP table on both routers and clear ARP on R1:
R2#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 84 0000.0000.0002 ARPA FastEthernet0/0
Internet 10.1.1.2 - 0000.0000.0001 ARPA FastEthernet0/0
R1#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - 0000.0000.0002 ARPA FastEthernet0/0
Internet 10.1.1.2 84 0000.0000.0001 ARPA FastEthernet0/0
R1#clear ip arp 10.1.1.2
R1#
R1#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - 0000.0000.0002 ARPA FastEthernet0/0
Connectivity test_5:
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Now add static ARP entry to both routers and test connectivity again:
R1(config)#arp 10.1.1.2 0000.0000.0001 ARPA
R2(config)#arp 10.1.1.1 0000.0000.0002 ARPA
R2(config)#end
Connectivity test_6:
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/44/92 ms
Connectivity test_5 shows us that our ARP filter works well and test_6 shows us that IP traffic wasn't filtered by our VLAN map that's why all IP packets are forwarded after addinf static ARP entry (see 4.2)
Next we will delete empty clause 10 and add IP ACL to our VLAN map:
SWITCH_2(config)#no vlan access-map "TEST-MAP" 10
SWITCH_2(config)# vlan access-map "TEST-MAP" 10
SWITCH_2(config-access-map)#match ip address R1_IP
SWITCH_2(config-access-map)#action forward
SWITCH_2(config-access-map)#exit
SWITCH_2(config)#do sh vlan access-map
Vlan access-map "TEST-MAP" 9
Match clauses:
mac address: ALL_ARP
Action:
drop
Vlan access-map "TEST-MAP" 10
Match clauses:
ip address: R1_IP
Action:
forward
Connectivity test_7:
R2#ping 10.1.1.1
!!!!!
R2#ping 172.20.1.1
.....
R2#ping 172.20.2.1
!!!!!
R2#ping 172.20.3.1
!!!!!
Connectivity test_7 shows us explicit drop (see 5.1) and denied traffic addressed to 172.20.1.1 caused by ACL R1_IP's deny entry. (see 4.1 and ACL R1_IP)
Now let me show you 3.1 and 3.2 in action.
In clause 10 wee change action to "drop":
SWITCH_2(config)#vlan access-map "TEST-MAP" 10
SWITCH_2(config-access-map)#action drop
conncetivity test_8
R2#ping 10.1.1.1
.....
R2#ping 172.20.3.1
.....
R2#ping 172.20.2.1
.....
R2#ping 172.20.1.1
.....
As you see all packets to addresses permited by IP ACL R1_IP were administratively dropped by action "drop" of our VLAN map and packets sent to 172.20.1.1 were dropped by implicit deny of our map.
Configure empty caluse 15 to permit all packets that was not filtered before and send pings:
SWITCH_2(config)#vlan access-map "TEST-MAP" 15
Connectivity test_9
R2#ping 172.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Test_9 didn't show connectivity because ICMP request was sent from address 10.1.1.2 (we can see it from debugging_1):
debugging_1:
R2#deb ip packet
IP packet debugging is on
R2#ping 172.20.1.1 rep 1
*Mar 10 07:54:02.344: IP: tableid=0, s=10.1.1.2 (local), d=172.20.1.1 (FastEthernet0/0), routed via FIB
*Mar 10 07:54:02.348: IP: s=10.1.1.2 (local), d=172.20.1.1 (FastEthernet0/0), len 100, sending.
Success rate is 0 percent (0/1)
Configure interface Lo4 with ip address 172.20.1.2/32 on R2 and add static route to this address on R1 and see the result:
R2#conf t
R2(config)#int lo4
R2(config-if)#ip add
R2(config-if)#ip address 172.20.1.2 255.255.255.255
R1#conf t
R1(config)#ip route 172.20.1.2 255.255.255.255 10.1.1.2
Connectivity test_10:
R2#ping 172.20.1.1 source 172.20.1.2 <----------<<<< (specify a source address for not to be filtered by our VLAN MAP see IP ACL R1_IP )
Packet sent with a source address of 172.20.1.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/37/80 ms
As i said in the beginning of this little lab, you can not filter IP traffic by MAC VLAN map with specifying ethertype 0x0800. You also can not filter traffic between two switches such as CDP/VTP/PAGP. It is not necesary to reapply VLAN map filter every time you reconfigured it, at least I did not reconfigured it while labbing.
All that was shown and mentioned above you can test by yourself.
Any comments will be usefull.
Best regards!
Dmitriy Kravets.
No comments:
Post a Comment