I'm not sure why you can ping IPv6 addreses, but I can tell you why you can't ping the IPv4 ones... IP packes are handled by different ASIC's than "non-IP" packets are. MAC ACLs have no effect on IP packets no matter how hard you try. So your IP packets are NOT matched by the ethertype 0x0800 even though you'd think it would. They're caught by the sequence 20 "match all" and "drop" set. So your ARPs work (as you see) but the IP traffic does not. I would have expected IPv6 (ethertype 0x86DD) to have been dropped as well. *shrug* So you'll need an IP ACL with permit ip any any to be added to your route-map if you want things to work. HTH, Scott
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharath Samanth Sent: Saturday, June 07, 2008 3:07 PM To: [email protected] Subject: [OSL | CCIE_RS] Strange issues with VLAN Access Maps Hi All, I am facing strange issues with VLAN access-maps. Objective: I am trying to make vlan 1 an IP only VLAN. Configuration: I have configured the following MAC ACLs. mac access-list extended IEEE_STP permit any any 0x4242 0x0 mac access-list extended IPARP permit any any 0x806 0x0 mac access-list extended IPV4 permit any any 0x800 0x0 The following is the VLAN Access Map vlan access-map P2F 10 action forward match mac address IEEE_STP vlan access-map P2F 11 action forward match mac address IPV4 vlan access-map P2F 12 action forward match mac address IPARP vlan access-map P2F 20 action drop ! vlan filter P2F vlan-list 1 The VLAN1 SVI is also configured with an IPV4 and IPV6 address. interface Vlan1 ip address 192.168.1.7 255.255.255.0 no ip route-cache ipv6 address 2001:210:10:1::3/64 ipv6 enable end Problem: Unable to ping IPV4 hosts connected to the Switch. 3560#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) 3560#ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) The ARP Cache in the Switch is populated with correct MAC addresses. 3560#sh ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.1.9 8 0016.d3e5.d3cb ARPA Vlan1 Internet 192.168.1.1 1 cc00.1da0.0000 ARPA Vlan1 Internet 192.168.1.2 1 cc01.1da0.0000 ARPA Vlan1 Internet 192.168.1.7 - 001a.e3b5.0140 ARPA Vlan1 What is surprising me is I can ping the IPV6 address without any issues. 3560#ping ipv6 2001:210:10:1::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:210:10:1::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/17 ms 3560#ping ipv6 2001:210:10:1::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:210:10:1::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/13/33 ms Why is the sequence #20 in the VLAN access-map not droping the IPV6 frames. I also configured an explicit drop sequence matching the 0x86DD but nothing changes. The Software image of the 3560 switch is: System image file is "flash:c3560-advipservicesk9-mz.122-44.SE2.bin" Please let me know what am I missing in the configuration? or is this a bug that needs to be fixed? Thanks in Advance Sharath
