Solved

ACL on layer 2 port with deny ip any any

Posted on 2013-11-20
14
467 Views
Last Modified: 2013-11-27
Hello experts, kind of curious on something. I have two machines on one vlan. They can ping eachother no problem. I apply an ACL to the interface of one machine that says deny ip any any. This maybe a dumb question but why don't machines on the LAN communicate at layer 2 only with mac addresses? Why go through the trouble of doing ARP, then getting an IP and sending a packet to other destination? Why not just send to destination mac?

Is this only because windows works at l3 and up? Would any windows applications communicate through layer 2 only (any examples)?

Thanks!
0
Comment
Question by:Psy4HA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 39665415
ARP is the only way to get MAC of particular IP
Why you deny IP? You want to force them to play old games over IPX or NetBEUI?
0
 

Author Comment

by:Psy4HA
ID: 39666611
Duh i am realizing i was looking at things in reverse. ARP not really needed for MAC to IP it is more for IP to MAC.

Now i am confused where suppose PC1 is sending to PC2.

Now PC1 has the MAC and IP address of PC2.

I applied an ACL to the port of PC2 to deny all ip (but not layer 2 mac's). I am working on a layer 3 switch but even so they are on the same vlan so should not need to use layer 3 packets. Why is PC1 using a packet to send to PC2 and not a frame (l2)?  

Also if it is sending a packet how does a layer 2 switch know to send the packet to PC2 if it only operates on MAC addresses? i Should try this on a layer 2 switch cause i think that if i apply an IP based ACL that says deny all and if i have another machine on the same vlan on that switch it should be able to send traffic i think?
0
 

Author Comment

by:Psy4HA
ID: 39666659
I think my confusion maybe that a packet includes the frame details? So when PC1 send to PC2 it has a destination mac address built into the PACKET but also in that PACKET contains mac addressing information. Is this right? If we look at wire shark it would appear that is what is happening as it has layer 1 > 2 > 3 > information in one "packet."

In any case do we every actually send Frame's only on a network (containing no ip address information?). My thinking is why we don't have MAC address servers like DNS servers so we wouldn't have to send out so many ARP's?
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 62

Expert Comment

by:gheist
ID: 39666918
PC1 sends arp broadcast - who has IP of default gateway... it responds with it's MAC...
It does same for PC1 if it's IP is in configured subnet...
0
 

Author Comment

by:Psy4HA
ID: 39666972
Yea i get that. It goes through all the trouble to get MAC addresses so it can send the information to the next hop. My issue was that the data should only have mac address source and destination NOT ip information. So if i put an ACL on a port that blocks IP information it shouldn't matter. But it actually does contain both mac and ip information which i didn't think was the case. I thought if local sends a frame, if remote subnet it sends a packet.
0
 
LVL 62

Expert Comment

by:gheist
ID: 39667155
At layer 2 you can specify which MAC is on particular port if at all. You dont have IP address yet.
0
 

Author Comment

by:Psy4HA
ID: 39667205
Switches work at layer 2 so if I apply an acl at layer 3 to block any it shouldn't block any?
0
 
LVL 62

Expert Comment

by:gheist
ID: 39668013
Cisco calls gear "Switch" while technically it is a router with 24 ports.

Would help if you read the label and at least tell if it is nexus or catalyst...
0
 

Author Comment

by:Psy4HA
ID: 39668029
answer to my question is in this article:
http://searchnetworking.techtarget.com/answer/Are-packets-sent-inside-frames-or-are-frames-inside-packets

Frame Contains Packet and Segment info. thought they were seperate. Thanks for help gheist anyway.
0
 

Author Comment

by:Psy4HA
ID: 39668085
I've requested that this question be closed as follows:

Accepted answer: 0 points for Psy4HA's comment #a39668029
Assisted answer: 0 points for Psy4HA's comment #a39666611

for the following reason:

thanks,
0
 
LVL 62

Expert Comment

by:gheist
ID: 39668086
Sadly your linked article des not explain ARP as asked in initial question
0
 

Assisted Solution

by:Psy4HA
Psy4HA earned 0 total points
ID: 39668114
as indicated by next comment you cleared that up arp IP to MAc i had it backwards. That was however not the main part of my question.  My main point or issue was that Frame contains packets which is why the layer 2 switch drops everything when an ACL is applied to it with deny ip any any. Its hard for me to phrase this question but my question is this:
1. I am on an ethernet segment (no routing at all no layer 3 switches or routers. Just a simple 2950 cisco switch. One Vlan)
2. I have two windows machines on same vlan
3. switch has port for pc2 set to deny ip any any
4. pc1 cannot send anything to pc2.

I thought it would not be the case since we should only be operating at layer 2 (switch is at layer 2 and switches based on mac address no ip IE arp is not even involved in my mind). What i didn't understand is that windows still goes through the protocol stack and will include data in packets within frames. Not just frames by themselves (which only have mac's). I thought they packaged up data in frames and sent to next windows box. They don't. They attach IP info to the frame therefore making it a packet.

Thanks
0
 
LVL 62

Accepted Solution

by:
gheist earned 250 total points
ID: 39668188
That i could agree with. You wanted to know one thing but then you asked other ;)

I see you did not learn IT in university, because in first semester you usually get a free dose of this:
https://en.wikipedia.org/wiki/OSI_model#Comparison_with_TCP.2FIP_model


PS just ask to close question again....
0
 

Author Closing Comment

by:Psy4HA
ID: 39680231
Solution stated in previous comment
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question