VLAN Access Maps for IP Traffic Filtering

From: Andrew Harris (andharri) (andharri@cisco.com)
Date: Wed Dec 12 2007 - 04:58:40 ART

• Next message: shiran guez: "Re: VLAN Access Maps for IP Traffic Filtering"
• Previous message: shiran guez: "Re: PVLAN Question."
• Next in thread: shiran guez: "Re: VLAN Access Maps for IP Traffic Filtering"
• Maybe reply: shiran guez: "Re: VLAN Access Maps for IP Traffic Filtering"
• Maybe reply: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Maybe reply: Scott Morris: "RE: VLAN Access Maps for IP Traffic Filtering"
• Maybe reply: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey,

I am following the Internetwork Expert Labooks, and I am currently doing
the Switching one.

The scenerio is two switches and 3 routers all in the same VLAN. I am to
use VLAN filtering to allow only ICMP Echo, Telnet and OSPF.

Here is the topology:

R1 --------- SW1 ============ SW2 ----------- R4
                                                         ------------ R6

I have the following config on both switches:

vlan access-map VLAN146 10
 action forward
 match ip address 100
vlan filter VLAN146 vlan-list 146

access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit tcp any any eq telnet
access-list 100 permit ospf any any
access-list 100 deny ip any any

I can ping correctly from all routers to every other, and it will block
port 80, traceroute etc. But I cannot establish a Telnet TCP session.

Here is some debug from R6 and R1

R6;

*Mar 1 14:31:49.197: IP: tableid=0, s=155.1.146.6 (local),
d=155.1.146.1 (Ethernet0/0), routed via FIB
*Mar 1 14:31:49.197: IP: s=155.1.146.6 (local), d=155.1.146.1
(Ethernet0/0), len 44, sending
*Mar 1 14:31:49.197: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN
*Mar 1 14:31:51.200: IP: tableid=0, s=155.1.146.6 (local),
d=155.1.146.1 (Ethernet0/0), routed via FIB
*Mar 1 14:31:51.200: IP: s=155.1.146.6 (local), d=155.1.146.1
(Ethernet0/0), len 44, sending
*Mar 1 14:31:51.200: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN
*Mar 1 14:31:55.203: IP: tableid=0, s=155.1.146.6 (local),
d=155.1.146.1 (Ethernet0/0), routed via FIB
*Mar 1 14:31:55.203: IP: s=155.1.146.6 (local), d=155.1.146.1
(Ethernet0/0), len 44, sending
*Mar 1 14:31:55.203: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN
*Mar 1 14:32:03.204: IP: tableid=0, s=155.1.146.6 (local),
d=155.1.146.1 (Ethernet0/0), routed via FIB
*Mar 1 14:32:03.204: IP: s=155.1.146.6 (local), d=155.1.146.1
(Ethernet0/0), len 44, sending
*Mar 1 14:32:03.204: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN

R1:

*Dec 12 07:58:46.608: IP: tableid=0, s=155.1.146.1 (local),
d=155.1.146.6 (FastEthernet0/0), routed via FIB
*Dec 12 07:58:46.608: IP: s=155.1.146.1 (local), d=155.1.146.6
(FastEthernet0/0), len 44, sending
*Dec 12 07:58:46.608: TCP src=23, dst=16721, seq=2709196043,
ack=146867242, win=4128 ACK SYN
*Dec 12 07:58:46.612: IP: tableid=0, s=155.1.146.6 (FastEthernet0/0),
d=155.1.146.1 (FastEthernet0/0), routed via RIB
*Dec 12 07:58:46.612: IP: s=155.1.146.6 (FastEthernet0/0), d=155.1.146.1
(FastEthernet0/0), len 44, rcvd 3
*Dec 12 07:58:46.612: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN
*Dec 12 07:58:46.612: IP: tableid=0, s=155.1.146.1 (local),
d=155.1.146.6 (FastEthernet0/0), routed via FIB
*Dec 12 07:58:46.612: IP: s=155.1.146.1 (local), d=155.1.146.6
(FastEthernet0/0), len 40, sending
*Dec 12 07:58:46.612: TCP src=23, dst=16721, seq=2709196043,
ack=146867242, win=4128 ACK
*Dec 12 07:58:54.608: IP: tableid=0, s=155.1.146.1 (local),
d=155.1.146.6 (FastEthernet0/0), routed via FIB
*Dec 12 07:58:54.608: IP: s=155.1.146.1 (local), d=155.1.146.6
(FastEthernet0/0), len 44, sending
*Dec 12 07:58:54.608: TCP src=23, dst=16721, seq=2709196043,
ack=146867242, win=4128 ACK SYN
*Dec 12 07:58:54.612: IP: tableid=0, s=155.1.146.6 (FastEthernet0/0),
d=155.1.146.1 (FastEthernet0/0), routed via RIB
*Dec 12 07:58:54.612: IP: s=155.1.146.6 (FastEthernet0/0), d=155.1.146.1
(FastEthernet0/0), len 44, rcvd 3
*Dec 12 07:58:54.612: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN
*Dec 12 07:58:54.612: IP: tableid=0, s=155.1.146.1 (local),
d=155.1.146.6 (FastEthernet0/0), routed via FIB
*Dec 12 07:58:54.612: IP: s=155.1.146.1 (local), d=155.1.146.6
(FastEthernet0/0), len 40, sending
*Dec 12 07:58:54.612: TCP src=23, dst=16721, seq=2709196043,
ack=146867242, win=4128 ACK

It seems R1 is receiving the TCP SYN, and sending back a SYN/ACK. But
nothing else seems to happen.

I assumed the "access-list 100 permit tcp any any eq telnet" command
permits the three way hand shake?

Thanks

Andy

• Next message: shiran guez: "Re: VLAN Access Maps for IP Traffic Filtering"
• Previous message: shiran guez: "Re: PVLAN Question."
• Next in thread: shiran guez: "Re: VLAN Access Maps for IP Traffic Filtering"
• Maybe reply: shiran guez: "Re: VLAN Access Maps for IP Traffic Filtering"
• Maybe reply: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Maybe reply: Scott Morris: "RE: VLAN Access Maps for IP Traffic Filtering"
• Maybe reply: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST