• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 485
  • Last Modified:

ACL on layer 2 port with deny ip any any

Hello experts, kind of curious on something. I have two machines on one vlan. They can ping eachother no problem. I apply an ACL to the interface of one machine that says deny ip any any. This maybe a dumb question but why don't machines on the LAN communicate at layer 2 only with mac addresses? Why go through the trouble of doing ARP, then getting an IP and sending a packet to other destination? Why not just send to destination mac?

Is this only because windows works at l3 and up? Would any windows applications communicate through layer 2 only (any examples)?

Thanks!
0
Psy4HA
Asked:
Psy4HA
  • 8
  • 6
2 Solutions
 
gheistCommented:
ARP is the only way to get MAC of particular IP
Why you deny IP? You want to force them to play old games over IPX or NetBEUI?
0
 
Psy4HAAuthor Commented:
Duh i am realizing i was looking at things in reverse. ARP not really needed for MAC to IP it is more for IP to MAC.

Now i am confused where suppose PC1 is sending to PC2.

Now PC1 has the MAC and IP address of PC2.

I applied an ACL to the port of PC2 to deny all ip (but not layer 2 mac's). I am working on a layer 3 switch but even so they are on the same vlan so should not need to use layer 3 packets. Why is PC1 using a packet to send to PC2 and not a frame (l2)?  

Also if it is sending a packet how does a layer 2 switch know to send the packet to PC2 if it only operates on MAC addresses? i Should try this on a layer 2 switch cause i think that if i apply an IP based ACL that says deny all and if i have another machine on the same vlan on that switch it should be able to send traffic i think?
0
 
Psy4HAAuthor Commented:
I think my confusion maybe that a packet includes the frame details? So when PC1 send to PC2 it has a destination mac address built into the PACKET but also in that PACKET contains mac addressing information. Is this right? If we look at wire shark it would appear that is what is happening as it has layer 1 > 2 > 3 > information in one "packet."

In any case do we every actually send Frame's only on a network (containing no ip address information?). My thinking is why we don't have MAC address servers like DNS servers so we wouldn't have to send out so many ARP's?
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
gheistCommented:
PC1 sends arp broadcast - who has IP of default gateway... it responds with it's MAC...
It does same for PC1 if it's IP is in configured subnet...
0
 
Psy4HAAuthor Commented:
Yea i get that. It goes through all the trouble to get MAC addresses so it can send the information to the next hop. My issue was that the data should only have mac address source and destination NOT ip information. So if i put an ACL on a port that blocks IP information it shouldn't matter. But it actually does contain both mac and ip information which i didn't think was the case. I thought if local sends a frame, if remote subnet it sends a packet.
0
 
gheistCommented:
At layer 2 you can specify which MAC is on particular port if at all. You dont have IP address yet.
0
 
Psy4HAAuthor Commented:
Switches work at layer 2 so if I apply an acl at layer 3 to block any it shouldn't block any?
0
 
gheistCommented:
Cisco calls gear "Switch" while technically it is a router with 24 ports.

Would help if you read the label and at least tell if it is nexus or catalyst...
0
 
Psy4HAAuthor Commented:
answer to my question is in this article:
http://searchnetworking.techtarget.com/answer/Are-packets-sent-inside-frames-or-are-frames-inside-packets

Frame Contains Packet and Segment info. thought they were seperate. Thanks for help gheist anyway.
0
 
Psy4HAAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for Psy4HA's comment #a39668029
Assisted answer: 0 points for Psy4HA's comment #a39666611

for the following reason:

thanks,
0
 
gheistCommented:
Sadly your linked article des not explain ARP as asked in initial question
0
 
Psy4HAAuthor Commented:
as indicated by next comment you cleared that up arp IP to MAc i had it backwards. That was however not the main part of my question.  My main point or issue was that Frame contains packets which is why the layer 2 switch drops everything when an ACL is applied to it with deny ip any any. Its hard for me to phrase this question but my question is this:
1. I am on an ethernet segment (no routing at all no layer 3 switches or routers. Just a simple 2950 cisco switch. One Vlan)
2. I have two windows machines on same vlan
3. switch has port for pc2 set to deny ip any any
4. pc1 cannot send anything to pc2.

I thought it would not be the case since we should only be operating at layer 2 (switch is at layer 2 and switches based on mac address no ip IE arp is not even involved in my mind). What i didn't understand is that windows still goes through the protocol stack and will include data in packets within frames. Not just frames by themselves (which only have mac's). I thought they packaged up data in frames and sent to next windows box. They don't. They attach IP info to the frame therefore making it a packet.

Thanks
0
 
gheistCommented:
That i could agree with. You wanted to know one thing but then you asked other ;)

I see you did not learn IT in university, because in first semester you usually get a free dose of this:
https://en.wikipedia.org/wiki/OSI_model#Comparison_with_TCP.2FIP_model


PS just ask to close question again....
0
 
Psy4HAAuthor Commented:
Solution stated in previous comment
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now