■VACL(mac access-listを関連付け)


■検証1:VACLでvlan101の特定PC(ホストC)からのARPパケットを拒否する
    ⇒mac access-listをVACLでvlan101に適用
    ⇒特定PC(ホストC)のarp tableを確認する
    ⇒特定PC(ホストC)からLinux端末へpingを実施
    ⇒再度、特定PC(ホストC)のarp tableを確認する
    ⇒ARPパケット拒否の対象ではない他PC(ホストB)から、Linux端末へpingを実施
    ⇒他PC(ホストB)のarp tableを確認する
    ⇒他PC(ホストB)から特定PCへpingを実施


■DSW3_3560投入コンフィグ
conf t
!
ip routing
!
enable secret ccnp
!
vlan 101
!
int loopback 0
ip address 1.1.1.1 255.255.255.255
!
int fa0/1
switchport mode access
switchport access vlan 101
no shut
!
int fa0/2
switchport mode access
switchport access vlan 101
no shut
!
int fa0/3
switchport mode access
switchport access vlan 101
no shut
!
int vlan 101
ip address 172.16.101.1 255.255.255.0
no shut
exit
!
mac access-list extended deny-arp
permit host 001d.7298.f312 0000.0000.0000 ffff.ffff.ffff 0x0806 0x0
exit
!
vlan access-map map-vlan 10
match mac address deny-arp
action drop
exit
!
vlan access-map map-vlan 20
action forward
exit
!
vlan filter map-vlan vlan-list 101
!
line vty 0 4
password cisco
login
!
end


■検証1:VACLでvlan101の特定PC(ホストC)からのARPパケットを拒否する
    ⇒特定PC(ホストC)のarp tableを確認する
C:\Documents and Settings\administrator.EXAMPLE>arp -a
No ARP Entries Found


    ⇒特定PC(ホストC)からLinux端末へpingを実施
C:\Documents and Settings\administrator.EXAMPLE>ping 172.16.101.100

Pinging 172.16.101.100 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.101.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


    ⇒再度、特定PC(ホストC)のarp tableを確認する
C:\Documents and Settings\administrator.EXAMPLE>arp -a
No ARP Entries Found


    ⇒ARPパケット拒否の対象ではない他PC(ホストB)から、Linux端末へpingを実施
C:\Documents and Settings\otherPC>ping 172.16.101.100

Pinging 172.16.101.100 with 32 bytes of data:

Reply from 172.16.101.100: bytes=32 time<1ms TTL=64
Reply from 172.16.101.100: bytes=32 time<1ms TTL=64
Reply from 172.16.101.100: bytes=32 time<1ms TTL=64
Reply from 172.16.101.100: bytes=32 time<1ms TTL=64

Ping statistics for 172.16.101.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms


    ⇒他PC(ホストB)のarp tableを確認する
C:\Documents and Settings\otherPC>arp -a

Interface: 172.16.101.150 --- 0x3
Internet Address Physical Address Type
172.16.101.1 f4-ac-c1-1f-f6-c1 dynamic
172.16.101.100 00-16-d3-c2-44-b2 dynamic
172.16.101.200 00-00-00-00-00-00 invalid


    ⇒他PC(ホストB)から特定PCへpingを実施
C:\Documents and Settings\otherPC>ping 172.16.101.200

Pinging 172.16.101.200 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.101.200:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

                                                                                                • -

DSW3_3560#sh access-lists

Extended MAC access list deny-arp
permit host 001d.7298.f312 any 0x806 0x0


DSW3_3560#sh vlan access-map
Vlan access-map "map-vlan" 10
Match clauses:
mac address: deny-arp
Action:
drop
Vlan access-map "map-vlan" 20
Match clauses:
Action:
forward


DSW3_3560#sh vlan filter
VLAN Map map-vlan is filtering VLANs:
101