any reason why my access-list will not show icmp hits when I ping from r1
to r2
when I remove the access-list ping fails as expected.
(real kit not gns)
Success rate is 100 percent (10000/10000), round-trip min/avg/max = 1/1/40
ms
R2#
Cat3550-1#show access-lists 100
Extended IP access list 100
10 permit ospf any any (14865 matches)
20 permit icmp any any
On 28 August 2012 16:18, Tony Singh <[email protected]> wrote:
>
>
> in the words of homer simpson - doh
>
> good lesson, how could i miss it was in the dsg!
>
> cheers all the same
>
>
> On 28 August 2012 15:48, Andy Sajous <[email protected]> wrote:
>
>> I think your missing a part on you MAC access-list. Looks like you
>> specified the ether type, but spanning tree is still failing because
>> you're
>> missing the LLC SNAP encapsulation (lsap).
>>
>> mac access-list extended FilterMe
>> permit any any 0x0806 0x0000
>> permit any any *lsap* 0xAAAA 0x0000
>>
>>
>>
>>
>>
>>
>> On Tue, Aug 28, 2012 at 9:28 AM, Tony Singh <[email protected]>
>> wrote:
>>
>> > Hi Experts
>> >
>> >
>> > Please forgive rather long winded email but need direction here.....
>> >
>> >
>> > *topology*
>> > R1 f0/0 > f0/1 CAT 1 (vlan 12)
>> > R2 f0/0 > f0/2 CAT 1 (vlan 12)
>> >
>> > *issue*
>> > 01:50:21: %SW_MATM-4-MACFLAP_NOTIF: Host 001c.f691.a0f8 in vlan 12 is
>> > flapping between port Po13 and port Po12
>> > 01:50:21: %SW_MATM-4-MACFLAP_NOTIF: Host 001c.58a7.d388 in vlan 12 is
>> > flapping between port Po14 and port Po12
>> >
>> > these flapps continue across all ether channels....
>> >
>> >
>> > *R1#show ip arp *
>> > Internet 150.100.12.1 - 001c.58a7.d388 ARPA
>> > FastEthernet0/0
>> > Internet 150.100.12.2 0 Incomplete ARPA
>> >
>> > *R2#show ip arp*
>> > Protocol Address Age (min) Hardware Addr Type Interface
>> > Internet 150.100.12.1 0 001c.58a7.d388 ARPA
>> > FastEthernet0/0
>> > Internet 150.100.12.2 - 001c.f691.a0f8 ARPA
>> > FastEthernet0/0
>> >
>> > one end of either router's arp is always incomplete
>> >
>> > checked all ends, encaps is arpa with full-duplex 100mb/s
>> >
>> > *CAT1*
>> > access-list 100 permit icmp any any
>> > access-list 100 permit ospf any any
>> >
>> > mac access-list extended MAC
>> > *permit mac any any 0x0806 0x0000 <<< permitted arp*
>> > *permit mac any any 0xAAAA 0x0000 * *<<< **permitted **stp
>> for
>> > dot1q trunks*
>> >
>> > mac access-map LAB2-26 10
>> > match mac address MAC
>> > action forward
>> > mac access-map LAB2-26 20
>> > match ip address 100
>> > action forward
>> > mac access-map LAB2-26 30
>> > action drop
>> >
>> > vlan filter LAB2-26 vlan-list 12
>> >
>> >
>> >
>> >
>> >
>> > looking further into spanning-tree....
>> >
>> >
>> >
>> >
>> > *Cat3550-1#show spanning-tree vlan 12*
>> >
>> > VLAN0012
>> > Spanning tree enabled protocol ieee
>> > Root ID Priority 32780
>> > Address 0016.c8cf.8d80
>> > This bridge is the root
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> >
>> > Bridge ID Priority 32780 (priority 32768 sys-id-ext 12)
>> > Address 0016.c8cf.8d80
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> > Aging Time 300
>> >
>> > Interface Role Sts Cost Prio.Nbr Type
>> > ------------------- ---- --- --------- --------
>> > --------------------------------
>> > Gi0/1 Desg FWD 4 128.1 P2p
>> > Fa0/1 Desg FWD 19 128.3 P2p
>> > Fa0/2 Desg FWD 19 128.4 P2p
>> > Po12 Desg FWD 12 128.144 P2p
>> > Po13 Desg FWD 12 128.152 P2p
>> > Po14 Desg FWD 12 128.160 P2p
>> >
>> >
>> >
>> >
>> >
>> > *Cat3560-2#show spanning-tree vlan 12*
>> >
>> > VLAN0012
>> > Spanning tree enabled protocol ieee
>> > Root ID Priority 32780
>> > Address 0016.c8bc.1100
>> > This bridge is the root
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> >
>> > Bridge ID Priority 32780 (priority 32768 sys-id-ext 12)
>> > Address 0016.c8bc.1100
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> > Aging Time 300
>> >
>> > Interface Role Sts Cost Prio.Nbr Type
>> > ------------------- ---- --- --------- --------
>> > --------------------------------
>> > Gi0/1 Desg FWD 4 128.1 P2p
>> > Po12 Desg FWD 12 128.144 P2p
>> > Po23 Desg FWD 12 128.232 P2p
>> > Po24 Desg FWD 12 128.240 P2p
>> >
>> >
>> >
>> > *cat1*
>> > VLAN0012 32780 0016.c8cf.8d80 0 2 20 15
>> >
>> > *cat2*
>> > VLAN0012 32780 0016.c8bc.1100 0 2 20 15
>> >
>> >
>> > *so both switches think there the root for vlan 12*
>> >
>> >
>> >
>> > resolved by issuing
>> >
>> > *Cat3550-1(config)#spanning-tree vlan 12 root primary*
>> >
>> >
>> >
>> >
>> >
>> > but why does the election not agree when cat2 bridge id is lower
>> (priority
>> > is default) obviously cat 2 tries to become the root by right, but then
>> why
>> > does cat1?
>> >
>> >
>> > *Bridge ID's*
>> > *
>> > *
>> > *cat 1 vlan 12*
>> > 0016.c8cf.8d80
>> > *
>> > *
>> > *cat 2 vlan 12*
>> > 0016.c8bc.1100 *<<<<---- should be the winner & IS when no mac
>> > access-list/vlan filter is applied*
>> >
>> >
>> > looking further into vlan 12
>> >
>> >
>> > *---------------WITH MAC ACCESS-LIST & ROOT PRIORITY PRIMARY SET ON
>> > CAT1-----------------*
>> >
>> >
>> > *debugging whilst this is happening*
>> >
>> > 05:25:34: STP: VLAN0012 heard root 32780-0016.c8cf.8d80 on Po12
>> > 05:25:34: STP(12) port Po12 supersedes 19
>> >
>> >
>> > *Cat3550-1#show spanning-tree vlan 12*
>> >
>> > VLAN0012
>> > Spanning tree enabled protocol ieee
>> > Root ID Priority 24588
>> > Address 0016.c8cf.8d80
>> > This bridge is the root
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> >
>> > Bridge ID Priority 24588 (priority 24576 sys-id-ext 12)
>> > Address 0016.c8cf.8d80
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> > Aging Time 300
>> >
>> > Interface Role Sts Cost Prio.Nbr Type
>> > ------------------- ---- --- --------- --------
>> > --------------------------------
>> > Gi0/1 Desg FWD 4 128.1 P2p
>> > Fa0/1 Desg FWD 19 128.3 P2p
>> > Fa0/2 Desg FWD 19 128.4 P2p
>> > *Po12 Desg FWD 12 128.144 P2p *
>> > Po13 Desg FWD 12 128.152 P2p
>> >
>> >
>> > *Cat3560-2#show spanning-tree vlan 12*
>> >
>> > VLAN0012
>> > Spanning tree enabled protocol ieee
>> > Root ID Priority 24588
>> > Address 0016.c8cf.8d80
>> > Cost 4
>> > Port 1 (GigabitEthernet0/1)
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> >
>> > Bridge ID Priority 32780 (priority 32768 sys-id-ext 12)
>> > Address 0016.c8bc.1100
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> > Aging Time 300
>> >
>> > Interface Role Sts Cost Prio.Nbr Type
>> > ------------------- ---- --- --------- --------
>> > --------------------------------
>> > Gi0/1 Root FWD 4 128.1 P2p
>> > *Po12 Altn BLK 12 128.144 P2p *
>> > Po23 Desg FWD 12 128.232 P2p
>> > Po24 Desg FWD 12 128.240 P2p
>> >
>> >
>> >
>> >
>> >
>> > *-------------------------------WITHOUT MAC ACCESS-LIST & WITHOUT **ROOT
>> > PRIORITY PRIMARY SET ON CAT1-**------------*
>> >
>> >
>> > *Cat3550-1#show spanning-tree vlan 12*
>> >
>> > VLAN0012
>> > Spanning tree enabled protocol ieee
>> > Root ID Priority 32780
>> > Address 0016.c8bc.1100
>> > Cost 4
>> > Port 1 (GigabitEthernet0/1)
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> >
>> > Bridge ID Priority 32780 (priority 32768 sys-id-ext 12)
>> > Address 0016.c8cf.8d80
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> > Aging Time 15
>> >
>> > Interface Role Sts Cost Prio.Nbr Type
>> > ------------------- ---- --- --------- --------
>> > --------------------------------
>> > Gi0/1 Root FWD 4 128.1 P2p
>> > Fa0/1 Desg FWD 19 128.3 P2p
>> > Fa0/2 Desg FWD 19 128.4 P2p
>> > *Po12 Altn BLK 12 128.144 P2p *
>> > Po13 Desg FWD 12 128.152 P2p
>> > Po14 Desg FWD 12 128.160 P2p
>> >
>> >
>> > *Cat3560-2#show spanning-tree vlan 12*
>> >
>> > VLAN0012
>> > Spanning tree enabled protocol ieee
>> > Root ID Priority 32780
>> > Address 0016.c8bc.1100
>> > This bridge is the root
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> >
>> > Bridge ID Priority 32780 (priority 32768 sys-id-ext 12)
>> > Address 0016.c8bc.1100
>> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> > Aging Time 15
>> >
>> > Interface Role Sts Cost Prio.Nbr Type
>> > ------------------- ---- --- --------- --------
>> > --------------------------------
>> > Gi0/1 Desg FWD 4 128.1 P2p
>> > *Po12 Desg FWD 12 128.144 P2p *
>> > Po23 Desg FWD 12 128.232 P2p
>> > Po24 Desg FWD 12 128.240 P2p
>> >
>> >
>> >
>> > *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
>> > *debugging on CAT2 whilst mac access-list is applied to CAT1 & NO
>> > **spanning-tree
>> > vlan 12 root primary*
>> >
>> > 05:25:34: STP: VLAN0012 heard root 32780-0016.c8cf.8d80 on Po12
>> > 05:25:34: STP(12) port Po12 supersedes 19
>> >
>> > here's my thinking....
>> > cat1 says my cost is 12 for vlan 12 via Po12 ; cat2 relays this message
>> > saying 12 supersedes 19 but then where does it get cost of 19 from?
>> > *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
>> > *
>> > *
>> >
>> >
>> > what gives i'm confused.com , I know I can resolve the above by running
>> > root primary for vlan 12 on CAT1 but need to understand why this default
>> > behaviour as this lab task clearly asks that I implement this mac
>> > access-list, would this happen in the IE lab ?
>> >
>> >
>> > Tony
>> > _______________________________________________
>> > For more information regarding industry leading CCIE Lab training,
>> please
>> > visit www.ipexpert.com
>> >
>> > Are you a CCNP or CCIE and looking for a job? Check out
>> > www.PlatinumPlacement.com
>> >
>> > http://onlinestudylist.com/mailman/listinfo/ccie_rs
>> >
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>> http://onlinestudylist.com/mailman/listinfo/ccie_rs
>>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
http://onlinestudylist.com/mailman/listinfo/ccie_rs
