From: Andrew Harris (andharri) (andharri@cisco.com)
Date: Wed Dec 12 2007 - 05:14:19 ART
Ahh I see now!
Thanks
Andy
________________________________
From: shiran guez [mailto:shiranp3@gmail.com]
Sent: 12 December 2007 08:09
To: Andrew Harris (andharri)
Cc: ccielab@groupstudy.com
Subject: Re: VLAN Access Maps for IP Traffic Filtering
you need to add permit tcp any eq telnet any
as you have client and a server one time the client send from source
random to server port 23 and the other direction the server send from
source 23 to random port of the client, as it is a 2 way communication.
On Dec 12, 2007 9:58 AM, Andrew Harris (andharri) <andharri@cisco.com>
wrote:
Hey,
I am following the Internetwork Expert Labooks, and I am
currently doing
the Switching one.
The scenerio is two switches and 3 routers all in the same VLAN.
I am to
use VLAN filtering to allow only ICMP Echo, Telnet and OSPF.
Here is the topology:
R1 --------- SW1 ============ SW2 ----------- R4
------------ R6
I have the following config on both switches:
vlan access-map VLAN146 10
action forward
match ip address 100
vlan filter VLAN146 vlan-list 146
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit tcp any any eq telnet
access-list 100 permit ospf any any
access-list 100 deny ip any any
I can ping correctly from all routers to every other, and it
will block
port 80, traceroute etc. But I cannot establish a Telnet TCP
session.
Here is some debug from R6 and R1
R6;
*Mar 1 14:31: 49.197: IP: tableid=0, s=155.1.146.6
<http://155.1.146.6/> (local),
d=155.1.146.1 <http://155.1.146.1/> (Ethernet0/0), routed via
FIB
*Mar 1 14:31:49.197: IP: s= 155.1.146.6 <http://155.1.146.6/>
(local), d=155.1.146.1 <http://155.1.146.1/>
(Ethernet0/0), len 44, sending
*Mar 1 14:31:49.197: TCP src=16721, dst=23, seq=146867241,
ack=0,
win=4128 SYN
*Mar 1 14:31:51.200: IP: tableid=0, s=155.1.146.6
<http://155.1.146.6/> (local),
d=155.1.146.1 <http://155.1.146.1/> (Ethernet0/0), routed via
FIB
*Mar 1 14:31:51.200: IP: s=155.1.146.6 <http://155.1.146.6/>
(local), d=155.1.146.1 <http://155.1.146.1/>
(Ethernet0/0), len 44, sending
*Mar 1 14:31:51.200 : TCP src=16721, dst=23, seq=146867241,
ack=0,
win=4128 SYN
*Mar 1 14:31:55.203: IP: tableid=0, s=155.1.146.6
<http://155.1.146.6/> (local),
d= 155.1.146.1 <http://155.1.146.1/> (Ethernet0/0), routed via
FIB
*Mar 1 14:31:55.203: IP: s=155.1.146.6 <http://155.1.146.6/>
(local), d=155.1.146.1 <http://155.1.146.1/>
(Ethernet0/0), len 44, sending
*Mar 1 14:31:55.203: TCP src=16721, dst=23, seq=146867241,
ack=0,
win=4128 SYN
*Mar 1 14:32:03.204: IP: tableid=0, s=155.1.146.6
<http://155.1.146.6/> (local),
d= 155.1.146.1 <http://155.1.146.1/> (Ethernet0/0), routed via
FIB
*Mar 1 14:32:03.204: IP: s=155.1.146.6 <http://155.1.146.6/>
(local), d=155.1.146.1 <http://155.1.146.1/>
(Ethernet0/0), len 44, sending
*Mar 1 14:32:03.204: TCP src=16721, dst=23, seq=146867241,
ack=0,
win=4128 SYN
R1:
*Dec 12 07:58:46.608: IP: tableid=0, s=155.1.146.1
<http://155.1.146.1/> (local),
d=155.1.146.6 <http://155.1.146.6/> (FastEthernet0/0), routed
via FIB
*Dec 12 07:58:46.608: IP: s=155.1.146.1 <http://155.1.146.1/>
(local), d= 155.1.146.6 <http://155.1.146.6/>
(FastEthernet0/0), len 44, sending
*Dec 12 07:58:46.608: TCP src=23, dst=16721, seq=2709196043,
ack=146867242, win=4128 ACK SYN
*Dec 12 07:58:46.612: IP: tableid=0, s= 155.1.146.6
<http://155.1.146.6/> (FastEthernet0/0),
d=155.1.146.1 <http://155.1.146.1/> (FastEthernet0/0), routed
via RIB
*Dec 12 07:58:46.612: IP: s=155.1.146.6 <http://155.1.146.6/>
(FastEthernet0/0), d=155.1.146.1 <http://155.1.146.1/>
(FastEthernet0/0), len 44, rcvd 3
*Dec 12 07:58:46.612: TCP src=16721, dst=23, seq=146867241,
ack=0,
win=4128 SYN
*Dec 12 07:58: 46.612: IP: tableid=0, s=155.1.146.1
<http://155.1.146.1/> (local),
d=155.1.146.6 <http://155.1.146.6/> (FastEthernet0/0), routed
via FIB
*Dec 12 07:58:46.612: IP: s= 155.1.146.1 <http://155.1.146.1/>
(local), d=155.1.146.6 <http://155.1.146.6/>
(FastEthernet0/0), len 40, sending
*Dec 12 07:58:46.612: TCP src=23, dst=16721, seq=2709196043,
ack=146867242, win=4128 ACK
*Dec 12 07:58:54.608: IP: tableid=0, s=155.1.146.1
<http://155.1.146.1/> (local),
d=155.1.146.6 <http://155.1.146.6/> (FastEthernet0/0), routed
via FIB
*Dec 12 07:58:54.608: IP: s=155.1.146.1 <http://155.1.146.1/>
(local), d=155.1.146.6 <http://155.1.146.6/>
(FastEthernet0/0), len 44, sending
*Dec 12 07:58: 54.608: TCP src=23, dst=16721,
seq=2709196043,
ack=146867242, win=4128 ACK SYN
*Dec 12 07:58:54.612: IP: tableid=0, s=155.1.146.6
<http://155.1.146.6/> (FastEthernet0/0),
d= 155.1.146.1 <http://155.1.146.1/> (FastEthernet0/0), routed
via RIB
*Dec 12 07:58:54.612: IP: s=155.1.146.6 <http://155.1.146.6/>
(FastEthernet0/0), d=155.1.146.1 <http://155.1.146.1/>
(FastEthernet0/0), len 44, rcvd 3
*Dec 12 07:58:54.612: TCP src=16721, dst=23, seq=146867241,
ack=0,
win=4128 SYN
*Dec 12 07:58:54.612: IP: tableid=0, s=155.1.146.1
<http://155.1.146.1/> (local),
d=155.1.146.6 <http://155.1.146.6/> (FastEthernet0/0), routed
via FIB
*Dec 12 07:58:54.612: IP: s=155.1.146.1 <http://155.1.146.1/>
(local), d= 155.1.146.6 <http://155.1.146.6/>
(FastEthernet0/0), len 40, sending
*Dec 12 07:58:54.612: TCP src=23, dst=16721, seq=2709196043,
ack=146867242, win=4128 ACK
It seems R1 is receiving the TCP SYN, and sending back a
SYN/ACK. But
nothing else seems to happen.
I assumed the "access-list 100 permit tcp any any eq telnet"
command
permits the three way hand shake?
Thanks
Andy
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST