Solved

ACL on layer 2 port with deny ip any any

Posted on 2013-11-20
14
451 Views
Last Modified: 2013-11-27
Hello experts, kind of curious on something. I have two machines on one vlan. They can ping eachother no problem. I apply an ACL to the interface of one machine that says deny ip any any. This maybe a dumb question but why don't machines on the LAN communicate at layer 2 only with mac addresses? Why go through the trouble of doing ARP, then getting an IP and sending a packet to other destination? Why not just send to destination mac?

Is this only because windows works at l3 and up? Would any windows applications communicate through layer 2 only (any examples)?

Thanks!
0
Comment
Question by:Psy4HA
  • 8
  • 6
14 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 39665415
ARP is the only way to get MAC of particular IP
Why you deny IP? You want to force them to play old games over IPX or NetBEUI?
0
 

Author Comment

by:Psy4HA
ID: 39666611
Duh i am realizing i was looking at things in reverse. ARP not really needed for MAC to IP it is more for IP to MAC.

Now i am confused where suppose PC1 is sending to PC2.

Now PC1 has the MAC and IP address of PC2.

I applied an ACL to the port of PC2 to deny all ip (but not layer 2 mac's). I am working on a layer 3 switch but even so they are on the same vlan so should not need to use layer 3 packets. Why is PC1 using a packet to send to PC2 and not a frame (l2)?  

Also if it is sending a packet how does a layer 2 switch know to send the packet to PC2 if it only operates on MAC addresses? i Should try this on a layer 2 switch cause i think that if i apply an IP based ACL that says deny all and if i have another machine on the same vlan on that switch it should be able to send traffic i think?
0
 

Author Comment

by:Psy4HA
ID: 39666659
I think my confusion maybe that a packet includes the frame details? So when PC1 send to PC2 it has a destination mac address built into the PACKET but also in that PACKET contains mac addressing information. Is this right? If we look at wire shark it would appear that is what is happening as it has layer 1 > 2 > 3 > information in one "packet."

In any case do we every actually send Frame's only on a network (containing no ip address information?). My thinking is why we don't have MAC address servers like DNS servers so we wouldn't have to send out so many ARP's?
0
 
LVL 61

Expert Comment

by:gheist
ID: 39666918
PC1 sends arp broadcast - who has IP of default gateway... it responds with it's MAC...
It does same for PC1 if it's IP is in configured subnet...
0
 

Author Comment

by:Psy4HA
ID: 39666972
Yea i get that. It goes through all the trouble to get MAC addresses so it can send the information to the next hop. My issue was that the data should only have mac address source and destination NOT ip information. So if i put an ACL on a port that blocks IP information it shouldn't matter. But it actually does contain both mac and ip information which i didn't think was the case. I thought if local sends a frame, if remote subnet it sends a packet.
0
 
LVL 61

Expert Comment

by:gheist
ID: 39667155
At layer 2 you can specify which MAC is on particular port if at all. You dont have IP address yet.
0
 

Author Comment

by:Psy4HA
ID: 39667205
Switches work at layer 2 so if I apply an acl at layer 3 to block any it shouldn't block any?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 61

Expert Comment

by:gheist
ID: 39668013
Cisco calls gear "Switch" while technically it is a router with 24 ports.

Would help if you read the label and at least tell if it is nexus or catalyst...
0
 

Author Comment

by:Psy4HA
ID: 39668029
answer to my question is in this article:
http://searchnetworking.techtarget.com/answer/Are-packets-sent-inside-frames-or-are-frames-inside-packets

Frame Contains Packet and Segment info. thought they were seperate. Thanks for help gheist anyway.
0
 

Author Comment

by:Psy4HA
ID: 39668085
I've requested that this question be closed as follows:

Accepted answer: 0 points for Psy4HA's comment #a39668029
Assisted answer: 0 points for Psy4HA's comment #a39666611

for the following reason:

thanks,
0
 
LVL 61

Expert Comment

by:gheist
ID: 39668086
Sadly your linked article des not explain ARP as asked in initial question
0
 

Assisted Solution

by:Psy4HA
Psy4HA earned 0 total points
ID: 39668114
as indicated by next comment you cleared that up arp IP to MAc i had it backwards. That was however not the main part of my question.  My main point or issue was that Frame contains packets which is why the layer 2 switch drops everything when an ACL is applied to it with deny ip any any. Its hard for me to phrase this question but my question is this:
1. I am on an ethernet segment (no routing at all no layer 3 switches or routers. Just a simple 2950 cisco switch. One Vlan)
2. I have two windows machines on same vlan
3. switch has port for pc2 set to deny ip any any
4. pc1 cannot send anything to pc2.

I thought it would not be the case since we should only be operating at layer 2 (switch is at layer 2 and switches based on mac address no ip IE arp is not even involved in my mind). What i didn't understand is that windows still goes through the protocol stack and will include data in packets within frames. Not just frames by themselves (which only have mac's). I thought they packaged up data in frames and sent to next windows box. They don't. They attach IP info to the frame therefore making it a packet.

Thanks
0
 
LVL 61

Accepted Solution

by:
gheist earned 250 total points
ID: 39668188
That i could agree with. You wanted to know one thing but then you asked other ;)

I see you did not learn IT in university, because in first semester you usually get a free dose of this:
https://en.wikipedia.org/wiki/OSI_model#Comparison_with_TCP.2FIP_model


PS just ask to close question again....
0
 

Author Closing Comment

by:Psy4HA
ID: 39680231
Solution stated in previous comment
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now