RE: Q: Vlans Maps
From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Sat May 27 2006 - 04:58:23 ART
Sorry Jail, it�s almost 4 a.m.
Rack1Sw1(config-ext-nacl)#$.0.0.255 204.12.1.0 0.0.0.255 echo-reply
Rack1Sw1(config-ext-nacl)#
BB1-TS#10
[Resuming connection 10 to BB3 ... ]
1w3d:
BB3#
BB3#ping 204.12.1.0 source 28.119.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.1.0, timeout is 2 seconds:
Packet sent with a source address of 28.119.16.1
Reply to request 0 from 204.12.1.6, 44 ms
Reply to request 0 from 204.12.1.2, 60 ms
Reply to request 1 from 204.12.1.6, 48 ms
Reply to request 1 from 204.12.1.2, 60 ms
Reply to request 2 from 204.12.1.6, 48 ms
Reply to request 2 from 204.12.1.2, 60 ms
Reply to request 3 from 204.12.1.6, 48 ms
Reply to request 3 from 204.12.1.2, 60 ms
Reply to request 4 from 204.12.1.6, 48 ms
Reply to request 4 from 204.12.1.2, 60 ms
BB3#x7
^
% Invalid input detected at '^' marker.
BB3#
BB1-TS#7
[Resuming connection 7 to Sw1 ... ]
Rack1Sw1(config-ext-nacl)#do show access-list ACES-TASK
Extended IP access list ACES-TASK
10 permit icmp 28.119.16.0 0.0.0.255 204.12.1.0 0.0.0.255 echo
20 permit icmp 28.119.16.0 0.0.0.255 204.12.1.0 0.0.0.255 echo-reply
Thanks
Victor.
_____
De: Jai Prakash [mailto:jpjsr06@gmail.com]
Enviado el: Sabado, 27 de Mayo de 2006 02:18 a.m.
Para: Victor Cappuccio
CC: GroupStudy CCIE
Asunto: Re: Q: Vlans Maps
Hello Victor,
For quick verification, can you try ACL without "echo" keyword and try to
test ?
If it works, then use two ACL Statement i.e.
Rack1Sw1#show access-list
Extended IP access list ACES-TASK
10 permit icmp 28.119.16.0 <http://28.119.16.0/> 0.0.0.255
<http://0.0.0.255/> 204.12.1.0 <http://204.12.1.0/> 0.0.0.255
<http://0.0.0.255/> echo
20 permit icmp 28.119.16.0 0.0.0.255 204.12.1.0 0.0.0.255 ech-reply
and try to test again.
Best Regards,
Jai
On 5/27/06, Victor Cappuccio <cvictor@protokolgroup.com> wrote:
Hello Jai,
Please sorry I posted the not corrected pings
These ones are the correct
BB3#ping 204.12.1.0 <http://204.12.1.0/> source 28.119.16.1
<http://28.119.16.1/> !!NOT 17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.1.0 <http://204.12.1.0/> , timeout
is 2 seconds:
Packet sent with a source address of 28.119.16.1 <http://28.119.16.1/>
Reply to request 0 from 204.12.1.6 <http://204.12.1.6/> , 4 ms
Reply to request 0 from 204.12.1.2 <http://204.12.1.2/> , 4 ms
BB3#ping 204.12.1.255 <http://204.12.1.255/> source 28.119.16.1
<http://28.119.16.1/>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.1.255 <http://204.12.1.255/> ,
timeout is 2 seconds:
Packet sent with a source address of 28.119.16.1 <http://28.119.16.1/>
Reply to request 0 from 204.12.1.6 <http://204.12.1.6/> , 4 ms
Reply to request 0 from 204.12.1.2 <http://204.12.1.2/> , 8 ms
_____
De: Jai Prakash [mailto:jpjsr06@gmail.com]
Enviado el: Sabado, 27 de Mayo de 2006 01:50 a.m.
Para: Victor Cappuccio
CC: GroupStudy CCIE
Asunto: Re: Q: Vlans Maps
Hi,
Pls, check your ACCESS-LIST statement , which is mapping only single
network i.e 28.119.16.0/24.
Extended IP access list ACES-TASK
10 permit icmp 28.119.16.0 <http://28.119.16.0/> 0.0.0.255
<http://0.0.0.255/> 204.12.1.0 <http://204.12.1.0/> 0.0.0.255
<http://0.0.0.255/> echo
If you want to see the same result from 28.119.17.0/24 network ,you have to
change the subnetmask as 0.0.1.255 <http://0.0.1.255/> .
Correct me, if I m wrong.
Best Regards,
Jai
On 5/27/06, Victor Cappuccio < <mailto:cvictor@protokolgroup.com>
cvictor@protokolgroup.com> wrote:
Hello Guys,
Playing with Vlans Maps and with this problem:
Router 2 / 6 / BB3 are in the same vlan and the requirement is to do a Vlan
Map to filter ICMP Echos from a determined Source Address
So I found this:
BB3#ping 204.12.1.2 <http://204.12.1.2/> source 28.119.16.1
<http://28.119.16.1/>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.1.2 <http://204.12.1.2/> , timeout
is 2 seconds:
Packet sent with a source address of 28.119.16.1 <http://28.119.16.1/>
.....
Success rate is 0 percent (0/5)
!!! Ok Seems that the ACE is doing the Work :)
!!! But
BB3#ping 204.12.1.255 <http://204.12.1.255/> source 28.119.17.1
<http://28.119.17.1/>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.1.255 <http://204.12.1.255/> ,
timeout is 2 seconds:
Packet sent with a source address of 28.119.17.1 <http://28.119.17.1/>
Reply to request 0 from 204.12.1.6 <http://204.12.1.6/> , 16 ms
Reply to request 0 from 204.12.1.2 <http://204.12.1.2/> , 20 ms
!!! This 2 Routers are in the same vlan that the router is attached to
!!!! Or if you ping at the Network Address:
BB3#ping 204.12.1.0 <http://204.12.1.0/> source 28.119.17.1
<http://28.119.17.1/>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.1.0 <http://204.12.1.0/> , timeout
is 2 seconds:
Packet sent with a source address of 28.119.17.1 <http://28.119.17.1/>
Reply to request 0 from 204.12.1.6 <http://204.12.1.6/> , 4 ms
Reply to request 0 from 204.12.1.2 <http://204.12.1.2/> , 4 ms
With this configuration
Rack1Sw1#show vlan filter
VLAN Map TEST is filtering VLANs:
263
Rack1Sw1#
Rack1Sw1#show vlan access TEST
Vlan access-map "TEST" 10
Match clauses:
ip address: ACES-TASK
Action:
drop
Vlan access-map "TEST" 20
Match clauses:
Action:
forward
Rack1Sw1#
Rack1Sw1#show access-list
Extended IP access list ACES-TASK
10 permit icmp 28.119.16.0 <http://28.119.16.0/> 0.0.0.255
<http://0.0.0.255/> 204.12.1.0 <http://204.12.1.0/> 0.0.0.255
<http://0.0.0.255/> echo
Rack1Sw1#
Please could anyone tell me WHY the echo sent to the network or to the
broadcast address are getting an echo-rely, and if you ping to the
interfaces Addresses (or any host address) they are access-controlled by the
Vlan Filter?
Thanks
Victor.
This archive was generated by hypermail 2.1.4
: Thu Jun 01 2006 - 06:33:22 ART