what about adding, mac access-list extended MAC permit mac 0x0806 0x0000 any any
JS On Tue, Aug 28, 2012 at 10:21 AM, Tony Singh <[email protected]> wrote: > any reason why my access-list will not show icmp hits when I ping from r1 > to r2 > > when I remove the access-list ping fails as expected. > > (real kit not gns) > > Success rate is 100 percent (10000/10000), round-trip min/avg/max = 1/1/40 > ms > R2# > > Cat3550-1#show access-lists 100 > Extended IP access list 100 > 10 permit ospf any any (14865 matches) > 20 permit icmp any any > > > > > On 28 August 2012 16:18, Tony Singh <[email protected]> wrote: > > > > > > > in the words of homer simpson - doh > > > > good lesson, how could i miss it was in the dsg! > > > > cheers all the same > > > > > > On 28 August 2012 15:48, Andy Sajous <[email protected]> wrote: > > > >> I think your missing a part on you MAC access-list. Looks like you > >> specified the ether type, but spanning tree is still failing because > >> you're > >> missing the LLC SNAP encapsulation (lsap). > >> > >> mac access-list extended FilterMe > >> permit any any 0x0806 0x0000 > >> permit any any *lsap* 0xAAAA 0x0000 > >> > >> > >> > >> > >> > >> > >> On Tue, Aug 28, 2012 at 9:28 AM, Tony Singh <[email protected]> > >> wrote: > >> > >> > Hi Experts > >> > > >> > > >> > Please forgive rather long winded email but need direction here..... > >> > > >> > > >> > *topology* > >> > R1 f0/0 > f0/1 CAT 1 (vlan 12) > >> > R2 f0/0 > f0/2 CAT 1 (vlan 12) > >> > > >> > *issue* > >> > 01:50:21: %SW_MATM-4-MACFLAP_NOTIF: Host 001c.f691.a0f8 in vlan 12 is > >> > flapping between port Po13 and port Po12 > >> > 01:50:21: %SW_MATM-4-MACFLAP_NOTIF: Host 001c.58a7.d388 in vlan 12 is > >> > flapping between port Po14 and port Po12 > >> > > >> > these flapps continue across all ether channels.... > >> > > >> > > >> > *R1#show ip arp * > >> > Internet 150.100.12.1 - 001c.58a7.d388 ARPA > >> > FastEthernet0/0 > >> > Internet 150.100.12.2 0 Incomplete ARPA > >> > > >> > *R2#show ip arp* > >> > Protocol Address Age (min) Hardware Addr Type Interface > >> > Internet 150.100.12.1 0 001c.58a7.d388 ARPA > >> > FastEthernet0/0 > >> > Internet 150.100.12.2 - 001c.f691.a0f8 ARPA > >> > FastEthernet0/0 > >> > > >> > one end of either router's arp is always incomplete > >> > > >> > checked all ends, encaps is arpa with full-duplex 100mb/s > >> > > >> > *CAT1* > >> > access-list 100 permit icmp any any > >> > access-list 100 permit ospf any any > >> > > >> > mac access-list extended MAC > >> > *permit mac any any 0x0806 0x0000 <<< permitted arp* > >> > *permit mac any any 0xAAAA 0x0000 * *<<< **permitted **stp > >> for > >> > dot1q trunks* > >> > > >> > mac access-map LAB2-26 10 > >> > match mac address MAC > >> > action forward > >> > mac access-map LAB2-26 20 > >> > match ip address 100 > >> > action forward > >> > mac access-map LAB2-26 30 > >> > action drop > >> > > >> > vlan filter LAB2-26 vlan-list 12 > >> > > >> > > >> > > >> > > >> > > >> > looking further into spanning-tree.... > >> > > >> > > >> > > >> > > >> > *Cat3550-1#show spanning-tree vlan 12* > >> > > >> > VLAN0012 > >> > Spanning tree enabled protocol ieee > >> > Root ID Priority 32780 > >> > Address 0016.c8cf.8d80 > >> > This bridge is the root > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > > >> > Bridge ID Priority 32780 (priority 32768 sys-id-ext 12) > >> > Address 0016.c8cf.8d80 > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > Aging Time 300 > >> > > >> > Interface Role Sts Cost Prio.Nbr Type > >> > ------------------- ---- --- --------- -------- > >> > -------------------------------- > >> > Gi0/1 Desg FWD 4 128.1 P2p > >> > Fa0/1 Desg FWD 19 128.3 P2p > >> > Fa0/2 Desg FWD 19 128.4 P2p > >> > Po12 Desg FWD 12 128.144 P2p > >> > Po13 Desg FWD 12 128.152 P2p > >> > Po14 Desg FWD 12 128.160 P2p > >> > > >> > > >> > > >> > > >> > > >> > *Cat3560-2#show spanning-tree vlan 12* > >> > > >> > VLAN0012 > >> > Spanning tree enabled protocol ieee > >> > Root ID Priority 32780 > >> > Address 0016.c8bc.1100 > >> > This bridge is the root > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > > >> > Bridge ID Priority 32780 (priority 32768 sys-id-ext 12) > >> > Address 0016.c8bc.1100 > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > Aging Time 300 > >> > > >> > Interface Role Sts Cost Prio.Nbr Type > >> > ------------------- ---- --- --------- -------- > >> > -------------------------------- > >> > Gi0/1 Desg FWD 4 128.1 P2p > >> > Po12 Desg FWD 12 128.144 P2p > >> > Po23 Desg FWD 12 128.232 P2p > >> > Po24 Desg FWD 12 128.240 P2p > >> > > >> > > >> > > >> > *cat1* > >> > VLAN0012 32780 0016.c8cf.8d80 0 2 20 15 > >> > > >> > *cat2* > >> > VLAN0012 32780 0016.c8bc.1100 0 2 20 15 > >> > > >> > > >> > *so both switches think there the root for vlan 12* > >> > > >> > > >> > > >> > resolved by issuing > >> > > >> > *Cat3550-1(config)#spanning-tree vlan 12 root primary* > >> > > >> > > >> > > >> > > >> > > >> > but why does the election not agree when cat2 bridge id is lower > >> (priority > >> > is default) obviously cat 2 tries to become the root by right, but > then > >> why > >> > does cat1? > >> > > >> > > >> > *Bridge ID's* > >> > * > >> > * > >> > *cat 1 vlan 12* > >> > 0016.c8cf.8d80 > >> > * > >> > * > >> > *cat 2 vlan 12* > >> > 0016.c8bc.1100 *<<<<---- should be the winner & IS when no mac > >> > access-list/vlan filter is applied* > >> > > >> > > >> > looking further into vlan 12 > >> > > >> > > >> > *---------------WITH MAC ACCESS-LIST & ROOT PRIORITY PRIMARY SET ON > >> > CAT1-----------------* > >> > > >> > > >> > *debugging whilst this is happening* > >> > > >> > 05:25:34: STP: VLAN0012 heard root 32780-0016.c8cf.8d80 on Po12 > >> > 05:25:34: STP(12) port Po12 supersedes 19 > >> > > >> > > >> > *Cat3550-1#show spanning-tree vlan 12* > >> > > >> > VLAN0012 > >> > Spanning tree enabled protocol ieee > >> > Root ID Priority 24588 > >> > Address 0016.c8cf.8d80 > >> > This bridge is the root > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > > >> > Bridge ID Priority 24588 (priority 24576 sys-id-ext 12) > >> > Address 0016.c8cf.8d80 > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > Aging Time 300 > >> > > >> > Interface Role Sts Cost Prio.Nbr Type > >> > ------------------- ---- --- --------- -------- > >> > -------------------------------- > >> > Gi0/1 Desg FWD 4 128.1 P2p > >> > Fa0/1 Desg FWD 19 128.3 P2p > >> > Fa0/2 Desg FWD 19 128.4 P2p > >> > *Po12 Desg FWD 12 128.144 P2p * > >> > Po13 Desg FWD 12 128.152 P2p > >> > > >> > > >> > *Cat3560-2#show spanning-tree vlan 12* > >> > > >> > VLAN0012 > >> > Spanning tree enabled protocol ieee > >> > Root ID Priority 24588 > >> > Address 0016.c8cf.8d80 > >> > Cost 4 > >> > Port 1 (GigabitEthernet0/1) > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > > >> > Bridge ID Priority 32780 (priority 32768 sys-id-ext 12) > >> > Address 0016.c8bc.1100 > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > Aging Time 300 > >> > > >> > Interface Role Sts Cost Prio.Nbr Type > >> > ------------------- ---- --- --------- -------- > >> > -------------------------------- > >> > Gi0/1 Root FWD 4 128.1 P2p > >> > *Po12 Altn BLK 12 128.144 P2p * > >> > Po23 Desg FWD 12 128.232 P2p > >> > Po24 Desg FWD 12 128.240 P2p > >> > > >> > > >> > > >> > > >> > > >> > *-------------------------------WITHOUT MAC ACCESS-LIST & WITHOUT > **ROOT > >> > PRIORITY PRIMARY SET ON CAT1-**------------* > >> > > >> > > >> > *Cat3550-1#show spanning-tree vlan 12* > >> > > >> > VLAN0012 > >> > Spanning tree enabled protocol ieee > >> > Root ID Priority 32780 > >> > Address 0016.c8bc.1100 > >> > Cost 4 > >> > Port 1 (GigabitEthernet0/1) > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > > >> > Bridge ID Priority 32780 (priority 32768 sys-id-ext 12) > >> > Address 0016.c8cf.8d80 > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > Aging Time 15 > >> > > >> > Interface Role Sts Cost Prio.Nbr Type > >> > ------------------- ---- --- --------- -------- > >> > -------------------------------- > >> > Gi0/1 Root FWD 4 128.1 P2p > >> > Fa0/1 Desg FWD 19 128.3 P2p > >> > Fa0/2 Desg FWD 19 128.4 P2p > >> > *Po12 Altn BLK 12 128.144 P2p * > >> > Po13 Desg FWD 12 128.152 P2p > >> > Po14 Desg FWD 12 128.160 P2p > >> > > >> > > >> > *Cat3560-2#show spanning-tree vlan 12* > >> > > >> > VLAN0012 > >> > Spanning tree enabled protocol ieee > >> > Root ID Priority 32780 > >> > Address 0016.c8bc.1100 > >> > This bridge is the root > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > > >> > Bridge ID Priority 32780 (priority 32768 sys-id-ext 12) > >> > Address 0016.c8bc.1100 > >> > Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec > >> > Aging Time 15 > >> > > >> > Interface Role Sts Cost Prio.Nbr Type > >> > ------------------- ---- --- --------- -------- > >> > -------------------------------- > >> > Gi0/1 Desg FWD 4 128.1 P2p > >> > *Po12 Desg FWD 12 128.144 P2p * > >> > Po23 Desg FWD 12 128.232 P2p > >> > Po24 Desg FWD 12 128.240 P2p > >> > > >> > > >> > > >> > *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++* > >> > *debugging on CAT2 whilst mac access-list is applied to CAT1 & NO > >> > **spanning-tree > >> > vlan 12 root primary* > >> > > >> > 05:25:34: STP: VLAN0012 heard root 32780-0016.c8cf.8d80 on Po12 > >> > 05:25:34: STP(12) port Po12 supersedes 19 > >> > > >> > here's my thinking.... > >> > cat1 says my cost is 12 for vlan 12 via Po12 ; cat2 relays this > message > >> > saying 12 supersedes 19 but then where does it get cost of 19 from? > >> > *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++* > >> > * > >> > * > >> > > >> > > >> > what gives i'm confused.com , I know I can resolve the above by > running > >> > root primary for vlan 12 on CAT1 but need to understand why this > default > >> > behaviour as this lab task clearly asks that I implement this mac > >> > access-list, would this happen in the IE lab ? > >> > > >> > > >> > Tony > >> > _______________________________________________ > >> > For more information regarding industry leading CCIE Lab training, > >> please > >> > visit www.ipexpert.com > >> > > >> > Are you a CCNP or CCIE and looking for a job? Check out > >> > www.PlatinumPlacement.com > >> > > >> > http://onlinestudylist.com/mailman/listinfo/ccie_rs > >> > > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please > >> visit www.ipexpert.com > >> > >> Are you a CCNP or CCIE and looking for a job? Check out > >> www.PlatinumPlacement.com > >> > >> http://onlinestudylist.com/mailman/listinfo/ccie_rs > >> > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > http://onlinestudylist.com/mailman/listinfo/ccie_rs > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
