Psy4HA
asked on
ACL on layer 2 port with deny ip any any
Hello experts, kind of curious on something. I have two machines on one vlan. They can ping eachother no problem. I apply an ACL to the interface of one machine that says deny ip any any. This maybe a dumb question but why don't machines on the LAN communicate at layer 2 only with mac addresses? Why go through the trouble of doing ARP, then getting an IP and sending a packet to other destination? Why not just send to destination mac?
Is this only because windows works at l3 and up? Would any windows applications communicate through layer 2 only (any examples)?
Thanks!
Is this only because windows works at l3 and up? Would any windows applications communicate through layer 2 only (any examples)?
Thanks!
ASKER
Duh i am realizing i was looking at things in reverse. ARP not really needed for MAC to IP it is more for IP to MAC.
Now i am confused where suppose PC1 is sending to PC2.
Now PC1 has the MAC and IP address of PC2.
I applied an ACL to the port of PC2 to deny all ip (but not layer 2 mac's). I am working on a layer 3 switch but even so they are on the same vlan so should not need to use layer 3 packets. Why is PC1 using a packet to send to PC2 and not a frame (l2)?
Also if it is sending a packet how does a layer 2 switch know to send the packet to PC2 if it only operates on MAC addresses? i Should try this on a layer 2 switch cause i think that if i apply an IP based ACL that says deny all and if i have another machine on the same vlan on that switch it should be able to send traffic i think?
Now i am confused where suppose PC1 is sending to PC2.
Now PC1 has the MAC and IP address of PC2.
I applied an ACL to the port of PC2 to deny all ip (but not layer 2 mac's). I am working on a layer 3 switch but even so they are on the same vlan so should not need to use layer 3 packets. Why is PC1 using a packet to send to PC2 and not a frame (l2)?
Also if it is sending a packet how does a layer 2 switch know to send the packet to PC2 if it only operates on MAC addresses? i Should try this on a layer 2 switch cause i think that if i apply an IP based ACL that says deny all and if i have another machine on the same vlan on that switch it should be able to send traffic i think?
ASKER
I think my confusion maybe that a packet includes the frame details? So when PC1 send to PC2 it has a destination mac address built into the PACKET but also in that PACKET contains mac addressing information. Is this right? If we look at wire shark it would appear that is what is happening as it has layer 1 > 2 > 3 > information in one "packet."
In any case do we every actually send Frame's only on a network (containing no ip address information?). My thinking is why we don't have MAC address servers like DNS servers so we wouldn't have to send out so many ARP's?
In any case do we every actually send Frame's only on a network (containing no ip address information?). My thinking is why we don't have MAC address servers like DNS servers so we wouldn't have to send out so many ARP's?
PC1 sends arp broadcast - who has IP of default gateway... it responds with it's MAC...
It does same for PC1 if it's IP is in configured subnet...
It does same for PC1 if it's IP is in configured subnet...
ASKER
Yea i get that. It goes through all the trouble to get MAC addresses so it can send the information to the next hop. My issue was that the data should only have mac address source and destination NOT ip information. So if i put an ACL on a port that blocks IP information it shouldn't matter. But it actually does contain both mac and ip information which i didn't think was the case. I thought if local sends a frame, if remote subnet it sends a packet.
At layer 2 you can specify which MAC is on particular port if at all. You dont have IP address yet.
ASKER
Switches work at layer 2 so if I apply an acl at layer 3 to block any it shouldn't block any?
Cisco calls gear "Switch" while technically it is a router with 24 ports.
Would help if you read the label and at least tell if it is nexus or catalyst...
Would help if you read the label and at least tell if it is nexus or catalyst...
ASKER
answer to my question is in this article:
http://searchnetworking.techtarget.com/answer/Are-packets-sent-inside-frames-or-are-frames-inside-packets
Frame Contains Packet and Segment info. thought they were seperate. Thanks for help gheist anyway.
http://searchnetworking.techtarget.com/answer/Are-packets-sent-inside-frames-or-are-frames-inside-packets
Frame Contains Packet and Segment info. thought they were seperate. Thanks for help gheist anyway.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for Psy4HA's comment #a39668029
Assisted answer: 0 points for Psy4HA's comment #a39666611
for the following reason:
thanks,
Accepted answer: 0 points for Psy4HA's comment #a39668029
Assisted answer: 0 points for Psy4HA's comment #a39666611
for the following reason:
thanks,
Sadly your linked article des not explain ARP as asked in initial question
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Solution stated in previous comment
Why you deny IP? You want to force them to play old games over IPX or NetBEUI?