RE: VLAN Access Maps for IP Traffic Filtering

From: Scott Morris (smorris@ipexpert.com)
Date: Wed Dec 12 2007 - 11:33:45 ART

• Next message: Biggs, Jeff \(M/CIO/BIE\): "RE: LAB 25 RIP Configuration"
• Previous message: Biggs, Jeff \(M/CIO/BIE\): "LAB 25 RIP Configuration"
• Maybe in reply to: Andrew Harris (andharri): "VLAN Access Maps for IP Traffic Filtering"
• Next in thread: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Being that it's a vlan access files (e.g. a "directionless" filter in the
middle) you need to permit traffic going either direction in order to
actually establish a connection. So what does your return traffic look
like?

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor

A Cisco Learning Partner - We Accept Learning Credits!

smorris@ipexpert.com

Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Andrew Harris (andharri)
Sent: Wednesday, December 12, 2007 2:59 AM
To: ccielab@groupstudy.com
Subject: VLAN Access Maps for IP Traffic Filtering

Hey,

I am following the Internetwork Expert Labooks, and I am currently doing the
Switching one.

The scenerio is two switches and 3 routers all in the same VLAN. I am to use
VLAN filtering to allow only ICMP Echo, Telnet and OSPF.

Here is the topology:

R1 --------- SW1 ============ SW2 ----------- R4
                                                         ------------ R6

I have the following config on both switches:

vlan access-map VLAN146 10
 action forward
 match ip address 100
vlan filter VLAN146 vlan-list 146

access-list 100 permit icmp any any echo access-list 100 permit icmp any any
echo-reply access-list 100 permit tcp any any eq telnet access-list 100
permit ospf any any
access-list 100 deny ip any any

I can ping correctly from all routers to every other, and it will block port
80, traceroute etc. But I cannot establish a Telnet TCP session.

Here is some debug from R6 and R1

R6;

*Mar 1 14:31:49.197: IP: tableid=0, s=155.1.146.6 (local),
d=155.1.146.1 (Ethernet0/0), routed via FIB *Mar 1 14:31:49.197: IP:
s=155.1.146.6 (local), d=155.1.146.1 (Ethernet0/0), len 44, sending
*Mar 1 14:31:49.197: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN
*Mar 1 14:31:51.200: IP: tableid=0, s=155.1.146.6 (local),
d=155.1.146.1 (Ethernet0/0), routed via FIB *Mar 1 14:31:51.200: IP:
s=155.1.146.6 (local), d=155.1.146.1 (Ethernet0/0), len 44, sending
*Mar 1 14:31:51.200: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN
*Mar 1 14:31:55.203: IP: tableid=0, s=155.1.146.6 (local),
d=155.1.146.1 (Ethernet0/0), routed via FIB *Mar 1 14:31:55.203: IP:
s=155.1.146.6 (local), d=155.1.146.1 (Ethernet0/0), len 44, sending
*Mar 1 14:31:55.203: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN
*Mar 1 14:32:03.204: IP: tableid=0, s=155.1.146.6 (local),
d=155.1.146.1 (Ethernet0/0), routed via FIB *Mar 1 14:32:03.204: IP:
s=155.1.146.6 (local), d=155.1.146.1 (Ethernet0/0), len 44, sending
*Mar 1 14:32:03.204: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN

R1:

*Dec 12 07:58:46.608: IP: tableid=0, s=155.1.146.1 (local),
d=155.1.146.6 (FastEthernet0/0), routed via FIB *Dec 12 07:58:46.608: IP:
s=155.1.146.1 (local), d=155.1.146.6 (FastEthernet0/0), len 44, sending
*Dec 12 07:58:46.608: TCP src=23, dst=16721, seq=2709196043,
ack=146867242, win=4128 ACK SYN
*Dec 12 07:58:46.612: IP: tableid=0, s=155.1.146.6 (FastEthernet0/0),
d=155.1.146.1 (FastEthernet0/0), routed via RIB *Dec 12 07:58:46.612: IP:
s=155.1.146.6 (FastEthernet0/0), d=155.1.146.1 (FastEthernet0/0), len 44,
rcvd 3
*Dec 12 07:58:46.612: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN
*Dec 12 07:58:46.612: IP: tableid=0, s=155.1.146.1 (local),
d=155.1.146.6 (FastEthernet0/0), routed via FIB *Dec 12 07:58:46.612: IP:
s=155.1.146.1 (local), d=155.1.146.6 (FastEthernet0/0), len 40, sending
*Dec 12 07:58:46.612: TCP src=23, dst=16721, seq=2709196043,
ack=146867242, win=4128 ACK
*Dec 12 07:58:54.608: IP: tableid=0, s=155.1.146.1 (local),
d=155.1.146.6 (FastEthernet0/0), routed via FIB *Dec 12 07:58:54.608: IP:
s=155.1.146.1 (local), d=155.1.146.6 (FastEthernet0/0), len 44, sending
*Dec 12 07:58:54.608: TCP src=23, dst=16721, seq=2709196043,
ack=146867242, win=4128 ACK SYN
*Dec 12 07:58:54.612: IP: tableid=0, s=155.1.146.6 (FastEthernet0/0),
d=155.1.146.1 (FastEthernet0/0), routed via RIB *Dec 12 07:58:54.612: IP:
s=155.1.146.6 (FastEthernet0/0), d=155.1.146.1 (FastEthernet0/0), len 44,
rcvd 3
*Dec 12 07:58:54.612: TCP src=16721, dst=23, seq=146867241, ack=0,
win=4128 SYN
*Dec 12 07:58:54.612: IP: tableid=0, s=155.1.146.1 (local),
d=155.1.146.6 (FastEthernet0/0), routed via FIB *Dec 12 07:58:54.612: IP:
s=155.1.146.1 (local), d=155.1.146.6 (FastEthernet0/0), len 40, sending
*Dec 12 07:58:54.612: TCP src=23, dst=16721, seq=2709196043,
ack=146867242, win=4128 ACK

It seems R1 is receiving the TCP SYN, and sending back a SYN/ACK. But
nothing else seems to happen.

I assumed the "access-list 100 permit tcp any any eq telnet" command permits
the three way hand shake?

Thanks

Andy

• Next message: Biggs, Jeff \(M/CIO/BIE\): "RE: LAB 25 RIP Configuration"
• Previous message: Biggs, Jeff \(M/CIO/BIE\): "LAB 25 RIP Configuration"
• Maybe in reply to: Andrew Harris (andharri): "VLAN Access Maps for IP Traffic Filtering"
• Next in thread: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST