Re: VLAN Access Maps for IP Traffic Filtering

From: shiran guez (shiranp3@gmail.com)
Date: Wed Dec 12 2007 - 05:09:08 ART

• Next message: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Previous message: Andrew Harris (andharri): "VLAN Access Maps for IP Traffic Filtering"
• Maybe in reply to: Andrew Harris (andharri): "VLAN Access Maps for IP Traffic Filtering"
• Next in thread: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

you need to add permit tcp any eq telnet any

as you have client and a server one time the client send from source random
to server port 23 and the other direction the server send from source 23 to
random port of the client, as it is a 2 way communication.

On Dec 12, 2007 9:58 AM, Andrew Harris (andharri) <andharri@cisco.com>
wrote:

> Hey,
>
> I am following the Internetwork Expert Labooks, and I am currently doing
> the Switching one.
>
> The scenerio is two switches and 3 routers all in the same VLAN. I am to
> use VLAN filtering to allow only ICMP Echo, Telnet and OSPF.
>
> Here is the topology:
>
>
>
> R1 --------- SW1 ============ SW2 ----------- R4
> ------------ R6
>
> I have the following config on both switches:
>
> vlan access-map VLAN146 10
> action forward
> match ip address 100
> vlan filter VLAN146 vlan-list 146
>
> access-list 100 permit icmp any any echo
> access-list 100 permit icmp any any echo-reply
> access-list 100 permit tcp any any eq telnet
> access-list 100 permit ospf any any
> access-list 100 deny ip any any
>
>
> I can ping correctly from all routers to every other, and it will block
> port 80, traceroute etc. But I cannot establish a Telnet TCP session.
>
> Here is some debug from R6 and R1
>
> R6;
>
> *Mar 1 14:31:49.197: IP: tableid=0, s=155.1.146.6 (local),
> d=155.1.146.1 (Ethernet0/0), routed via FIB
> *Mar 1 14:31:49.197: IP: s=155.1.146.6 (local), d=155.1.146.1
> (Ethernet0/0), len 44, sending
> *Mar 1 14:31:49.197: TCP src=16721, dst=23, seq=146867241, ack=0,
> win=4128 SYN
> *Mar 1 14:31:51.200: IP: tableid=0, s=155.1.146.6 (local),
> d=155.1.146.1 (Ethernet0/0), routed via FIB
> *Mar 1 14:31:51.200: IP: s=155.1.146.6 (local), d=155.1.146.1
> (Ethernet0/0), len 44, sending
> *Mar 1 14:31:51.200: TCP src=16721, dst=23, seq=146867241, ack=0,
> win=4128 SYN
> *Mar 1 14:31:55.203: IP: tableid=0, s=155.1.146.6 (local),
> d=155.1.146.1 (Ethernet0/0), routed via FIB
> *Mar 1 14:31:55.203: IP: s=155.1.146.6 (local), d=155.1.146.1
> (Ethernet0/0), len 44, sending
> *Mar 1 14:31:55.203: TCP src=16721, dst=23, seq=146867241, ack=0,
> win=4128 SYN
> *Mar 1 14:32:03.204: IP: tableid=0, s=155.1.146.6 (local),
> d=155.1.146.1 (Ethernet0/0), routed via FIB
> *Mar 1 14:32:03.204: IP: s=155.1.146.6 (local), d=155.1.146.1
> (Ethernet0/0), len 44, sending
> *Mar 1 14:32:03.204: TCP src=16721, dst=23, seq=146867241, ack=0,
> win=4128 SYN
>
> R1:
>
> *Dec 12 07:58:46.608: IP: tableid=0, s=155.1.146.1 (local),
> d=155.1.146.6 (FastEthernet0/0), routed via FIB
> *Dec 12 07:58:46.608: IP: s=155.1.146.1 (local), d=155.1.146.6
> (FastEthernet0/0), len 44, sending
> *Dec 12 07:58:46.608: TCP src=23, dst=16721, seq=2709196043,
> ack=146867242, win=4128 ACK SYN
> *Dec 12 07:58:46.612: IP: tableid=0, s=155.1.146.6 (FastEthernet0/0),
> d=155.1.146.1 (FastEthernet0/0), routed via RIB
> *Dec 12 07:58:46.612: IP: s=155.1.146.6 (FastEthernet0/0), d=155.1.146.1
> (FastEthernet0/0), len 44, rcvd 3
> *Dec 12 07:58:46.612: TCP src=16721, dst=23, seq=146867241, ack=0,
> win=4128 SYN
> *Dec 12 07:58:46.612: IP: tableid=0, s=155.1.146.1 (local),
> d=155.1.146.6 (FastEthernet0/0), routed via FIB
> *Dec 12 07:58:46.612: IP: s=155.1.146.1 (local), d=155.1.146.6
> (FastEthernet0/0), len 40, sending
> *Dec 12 07:58:46.612: TCP src=23, dst=16721, seq=2709196043,
> ack=146867242, win=4128 ACK
> *Dec 12 07:58:54.608: IP: tableid=0, s=155.1.146.1 (local),
> d=155.1.146.6 (FastEthernet0/0), routed via FIB
> *Dec 12 07:58:54.608: IP: s=155.1.146.1 (local), d=155.1.146.6
> (FastEthernet0/0), len 44, sending
> *Dec 12 07:58:54.608: TCP src=23, dst=16721, seq=2709196043,
> ack=146867242, win=4128 ACK SYN
> *Dec 12 07:58:54.612: IP: tableid=0, s=155.1.146.6 (FastEthernet0/0),
> d=155.1.146.1 (FastEthernet0/0), routed via RIB
> *Dec 12 07:58:54.612: IP: s=155.1.146.6 (FastEthernet0/0), d=155.1.146.1
> (FastEthernet0/0), len 44, rcvd 3
> *Dec 12 07:58:54.612: TCP src=16721, dst=23, seq=146867241, ack=0,
> win=4128 SYN
> *Dec 12 07:58:54.612: IP: tableid=0, s=155.1.146.1 (local),
> d=155.1.146.6 (FastEthernet0/0), routed via FIB
> *Dec 12 07:58:54.612: IP: s=155.1.146.1 (local), d=155.1.146.6
> (FastEthernet0/0), len 40, sending
> *Dec 12 07:58:54.612: TCP src=23, dst=16721, seq=2709196043,
> ack=146867242, win=4128 ACK
>
>
> It seems R1 is receiving the TCP SYN, and sending back a SYN/ACK. But
> nothing else seems to happen.
>
> I assumed the "access-list 100 permit tcp any any eq telnet" command
> permits the three way hand shake?
>
> Thanks
>
> Andy
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Shiran Guez
MCSE CCNP NCE1
http://cciep3.blogspot.com
http://www.linkedin.com/in/cciep3

• Next message: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Previous message: Andrew Harris (andharri): "VLAN Access Maps for IP Traffic Filtering"
• Maybe in reply to: Andrew Harris (andharri): "VLAN Access Maps for IP Traffic Filtering"
• Next in thread: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST