[OSL | CCIE_RS] Strange issues with VLAN Access Maps

Sat, 07 Jun 2008 12:06:47 -0700 

Hi All,

I am facing strange issues with VLAN access-maps.

*Objective:*
I am trying to make vlan 1 an IP only VLAN.

*Configuration:
*I have configured the following MAC ACLs.

mac access-list extended IEEE_STP
 permit any any 0x4242 0x0

mac access-list extended IPARP
 *permit any any 0x806 0x0*

mac access-list extended IPV4
 *permit any any 0x800 0x0*

The following is the VLAN Access Map

vlan access-map P2F 10
 action forward
 match mac address IEEE_STP
vlan access-map P2F 11
 *action forward
 match mac address IPV4*
vlan access-map P2F 12
 *action forward
 match mac address IPARP*
vlan access-map P2F 20
 action drop
!
vlan filter P2F vlan-list 1

The VLAN1 SVI is also configured with an IPV4 and IPV6 address.

interface Vlan1
 ip address 192.168.1.7 255.255.255.0
 no ip route-cache
 ipv6 address 2001:210:10:1::3/64
 ipv6 enable
end

Problem:
Unable to ping IPV4 hosts connected to the Switch.

3560#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
3560#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

The ARP Cache in the Switch is populated with correct MAC addresses.

3560#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.9             8   0016.d3e5.d3cb  ARPA   Vlan1
Internet  192.168.1.1             1   cc00.1da0.0000  ARPA   Vlan1
Internet  192.168.1.2             1   cc01.1da0.0000  ARPA   Vlan1
Internet  192.168.1.7             -   001a.e3b5.0140  ARPA   Vlan1

What is surprising me is I can ping the IPV6 address without any issues.

3560#ping ipv6 2001:210:10:1::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:210:10:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/17 ms
3560#ping ipv6 2001:210:10:1::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:210:10:1::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/13/33 ms

Why is the sequence #20 in the VLAN access-map not droping the IPV6 frames.
I also configured an explicit drop sequence matching the 0x86DD but nothing
changes.

The Software image of the 3560 switch is:
System image file is "flash:c3560-advipservicesk9-mz.122-44.SE2.bin"
Please let me know what am I missing in the configuration?
or is this a bug that needs to be fixed?

Thanks in Advance
Sharath

Reply via email to