While doing a vol2 lab I got stumped by one of the tasks in the lab.
The task was to filter ICMP packets coming from the backbone destined
to a network on the internal routers. The topology looks like this.
We need to filter ICMP packets from BB2 but we may not apply this on
R1 and/or R6. We are of course not allowed to do any changes in the
backbone either. So what is left? We have an Ethernet segment connecting
the routers together, they are all connected to a switch. This means
that we can apply a VLAN filter. VLAN filters are good for filtering
traffic that does not leave the VLAN. For traffic crossing network
boundaries we can use regular ACL’s but they won’t work for intra VLAN
The configuration is pretty straight forward and has a lot of resemblance
to a route-map. First we create a VLAN access-map.
We want to drop traffic when there is a match in access-list 100. If there is
not a match permit the traffic.
Then we create the access-list.
The 184.108.40.206/24 network is one of the backbone networks but the addressing is
not what’s important here.
Then we need to apply the filter to the VLANs that should be filtered.
We have a few show commands that will show us what filters are in use.
In this configuration we permitted the traffic that should be dropped in an ACL. Could we
have done the reverse? An alternate solution is to make an action of forward and then
deny the ICMP traffic. Lets look at this.
The logic is reversed here. We forward only certain traffic and drop the rest. We also
need to modify ACL 100.
ICMP from 220.127.116.11 will be denied and all IP allowed, should work like a charm right?
And it might, for a while… There’s a pitfall in this configuration, we have allowed
all IP but there is one other quite important protocol used in Ethernet segments. We
use it when we know the IP address of a host but need to find out the MAC address. Yes,
it is ARP. With this ACL all ARP will be dropped. Some traffic might go through due to
that we have entries in the cache but as soon as they time out there will be a problem.
If we need to allow ARP we can do that by creating a MAC access-list.
So now you know how to filter traffic within a VLAN. There is almost always more than
one solution but we need to be careful when thinking through alternate solutions.