From: Jai Prakash (jpjsr06@gmail.com)
Date: Sat May 27 2006 - 03:17:54 ART
Hello Victor,
For quick verification, can you try ACL without "echo" keyword and try to
test ?
If it works, then use two ACL Statement i.e.
Rack1Sw1#show access-list
Extended IP access list ACES-TASK
10 permit icmp 28.119.16.0 0.0.0.255 204.12.1.0 0.0.0.255 echo
20 permit icmp 28.119.16.0 0.0.0.255 204.12.1.0 0.0.0.255 ech-reply
and try to test again.
Best Regards,
Jai
On 5/27/06, Victor Cappuccio <cvictor@protokolgroup.com> wrote:
>
> Hello Jai,
>
> Please sorry I posted the not corrected pings
>
> These ones are the correct
>
>
>
> BB3#ping 204.12.1.0 source 28.119.16.1 !!NOT 17
>
>
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte ICMP Echos to 204.12.1.0, timeout is 2 seconds:
>
> Packet sent with a source address of 28.119.16.1
>
>
>
> Reply to request 0 from 204.12.1.6, 4 ms
>
> Reply to request 0 from 204.12.1.2, 4 ms
>
>
>
>
>
> BB3#ping 204.12.1.255 source 28.119.16.1
>
>
>
> Type escape sequence to abort.
>
> Sending 5, 100-byte ICMP Echos to 204.12.1.255, timeout is 2 seconds:
>
> Packet sent with a source address of 28.119.16.1
>
>
>
> Reply to request 0 from 204.12.1.6, 4 ms
>
> Reply to request 0 from 204.12.1.2, 8 ms
>
>
>
>
>
>
> ------------------------------
>
> *De:* Jai Prakash [mailto:jpjsr06@gmail.com]
> *Enviado el:* Sabado, 27 de Mayo de 2006 01:50 a.m.
> *Para:* Victor Cappuccio
> *CC:* GroupStudy CCIE
> *Asunto:* Re: Q: Vlans Maps
>
>
>
> Hi,
>
>
>
> Pls, check your ACCESS-LIST statement , which is mapping only single
> network i.e 28.119.16.0/24.
>
>
>
> Extended IP access list ACES-TASK
> 10 permit icmp 28.119.16.0 0.0.0.255 204.12.1.0 0.0.0.255 echo
>
>
> If you want to see the same result from 28.119.17.0/24 network ,you have
> to change the subnetmask as 0.0.1.255.
>
>
>
> Correct me, if I m wrong.
>
>
>
> Best Regards,
>
> Jai
>
>
>
>
>
> On 5/27/06, *Victor Cappuccio* <cvictor@protokolgroup.com> wrote:
>
> Hello Guys,
>
> Playing with Vlans Maps and with this problem:
>
> Router 2 / 6 / BB3 are in the same vlan and the requirement is to do a
> Vlan
> Map to filter ICMP Echos from a determined Source Address
>
> So I found this:
>
> BB3#ping 204.12.1.2 source 28.119.16.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 204.12.1.2, timeout is 2 seconds:
> Packet sent with a source address of 28.119.16.1
> .....
> Success rate is 0 percent (0/5)
>
> !!! Ok Seems that the ACE is doing the Work :)
>
> !!! But
> BB3#ping 204.12.1.255 source 28.119.17.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 204.12.1.255, timeout is 2 seconds:
> Packet sent with a source address of 28.119.17.1
>
> Reply to request 0 from 204.12.1.6, 16 ms
> Reply to request 0 from 204.12.1.2, 20 ms
>
> !!! This 2 Routers are in the same vlan that the router is attached to
>
> !!!! Or if you ping at the Network Address:
>
> BB3#ping 204.12.1.0 source 28.119.17.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 204.12.1.0 , timeout is 2 seconds:
> Packet sent with a source address of 28.119.17.1
>
> Reply to request 0 from 204.12.1.6, 4 ms
> Reply to request 0 from 204.12.1.2, 4 ms
>
>
> With this configuration
>
> Rack1Sw1#show vlan filter
> VLAN Map TEST is filtering VLANs:
> 263
> Rack1Sw1#
> Rack1Sw1#show vlan access TEST
> Vlan access-map "TEST" 10
> Match clauses:
> ip address: ACES-TASK
> Action:
> drop
> Vlan access-map "TEST" 20
> Match clauses:
> Action:
> forward
> Rack1Sw1#
> Rack1Sw1#show access-list
> Extended IP access list ACES-TASK
> 10 permit icmp 28.119.16.0 0.0.0.255 204.12.1.0 0.0.0.255 echo
> Rack1Sw1#
>
>
> Please could anyone tell me WHY the echo sent to the network or to the
> broadcast address are getting an echo-rely, and if you ping to the
> interfaces Addresses (or any host address) they are access-controlled by
> the
> Vlan Filter?
>
> Thanks
> Victor.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART