Monday, November 24, 2008

Filtering L2 Traffic

Mac access-lists can be used to match traffic by L2 characteristics. In turn this traffic can be forwarded or filtered using Vlan ACLs or VACLs.

For example key words available on a mac acl include the following

aarp EtherType: AppleTalk ARP
amber EtherType: DEC-Amber
appletalk EtherType: AppleTalk/EtherTalk
cos CoS value
dec-spanning EtherType: DEC-Spanning-Tree
decnet-iv EtherType: DECnet Phase IV
diagnostic EtherType: DEC-Diagnostic
dsm EtherType: DEC-DSM
etype-6000 EtherType: 0x6000
etype-8042 EtherType: 0x8042
lat EtherType: DEC-LAT
lavc-sca EtherType: DEC-LAVC-SCA
lsap LSAP value
mop-console EtherType: DEC-MOP Remote Console
mop-dump EtherType: DEC-MOP Dump
msdos EtherType: DEC-MSDOS
mumps EtherType: DEC-MUMPS
netbios EtherType: DEC-NETBIOS
vines-echo EtherType: VINES Echo
vines-ip EtherType: VINES IP
xns-idp EtherType: XNS IDP

By way of an example i will filter all DEC diagnostic traffic from VLAN 10...

mac access-list extended RICH
permit any any DEC-Diagnostic

vlan access-map TEST
match mac address RICH
action drop
vlan access-map TEST
action forward

vlan filter TEST vlan-list 10

No comments: