While doing a vol2 lab I got stumped by one of the tasks in the lab.
The task was to filter ICMP packets coming from the backbone destined
to a network on the internal routers. The topology looks like this.
We need to filter ICMP packets from BB2 but we may not apply this on
R1 and/or R6. We are of course not allowed to do any changes in the
backbone either. So what is left? We have an Ethernet segment connecting
the routers together, they are all connected to a switch. This means
that we can apply a VLAN filter. VLAN filters are good for filtering
traffic that does not leave the VLAN. For traffic crossing network
boundaries we can use regular ACL’s but they won’t work for intra VLAN
traffic.
The configuration is pretty straight forward and has a lot of resemblance
to a route-map. First we create a VLAN access-map.
Rack24SW2(config)#vlan access-map ICMP_FILTER 10
Rack24SW2(config-access-map)#action drop
Rack24SW2(config-access-map)#match ip address 100
Rack24SW2(config-access-map)#exit
Rack24SW2(config)#vlan access-map ICMP_FILTER 20
Rack24SW2(config-access-map)#action forward
Rack24SW2(config-access-map)#exit
We want to drop traffic when there is a match in access-list 100. If there is
not a match permit the traffic.
Then we create the access-list.
Rack24SW2(config)#access-list 100 permit icmp 205.90.31.0 0.0.0.255 any echo
The 205.90.31.0/24 network is one of the backbone networks but the addressing is
not what’s important here.
Then we need to apply the filter to the VLANs that should be filtered.
Rack24SW2(config)#vlan filter ICMP_FILTER vlan-list 162
We have a few show commands that will show us what filters are in use.
Rack24SW2#show vlan filter
VLAN Map ICMP_FILTER is filtering VLANs:
162
Rack24SW2#show vlan filter vlan 162
Vlan 162 has filter ICMP_FILTER.
Rack24SW2#show vlan filter access-map ICMP_FILTER
VLAN Map ICMP_FILTER is filtering VLANs:
162
In this configuration we permitted the traffic that should be dropped in an ACL. Could we
have done the reverse? An alternate solution is to make an action of forward and then
deny the ICMP traffic. Lets look at this.
Rack24SW2(config)#vlan access-map ICMP_FILTER 10
Rack24SW2(config-access-map)#action forward
Rack24SW2(config-access-map)#match ip address 100
Rack24SW2(config-access-map)#exit
Rack24SW2(config)#vlan access-map ICMP_FILTER 20
Rack24SW2(config-access-map)#action drop
Rack24SW2(config-access-map)#exit
The logic is reversed here. We forward only certain traffic and drop the rest. We also
need to modify ACL 100.
Rack24SW2(config)#access-list 100 deny icmp 205.90.31.0 0.0.0.255 any echo
Rack24SW2(config)#access-list 100 permit ip any any
ICMP from 205.90.31.0 will be denied and all IP allowed, should work like a charm right?
And it might, for a while… There’s a pitfall in this configuration, we have allowed
all IP but there is one other quite important protocol used in Ethernet segments. We
use it when we know the IP address of a host but need to find out the MAC address. Yes,
it is ARP. With this ACL all ARP will be dropped. Some traffic might go through due to
that we have entries in the cache but as soon as they time out there will be a problem.
If we need to allow ARP we can do that by creating a MAC access-list.
Rack24SW2(config)#mac access-list extended PERMIT_ARP
Rack24SW2(config-ext-macl)#permit any any 0x806 0x0
So now you know how to filter traffic within a VLAN. There is almost always more than
one solution but we need to be careful when thinking through alternate solutions.
Hi Daniel,
Good article.
I reference this against the cisco doc cd, and it doesn’t seem to mention this issue at all.
Also the INE blog doesn’t mention this issue – http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/
I remember doing a similar task in INE Volume 1, and this wasn’t mentioned.
Can you tell me which lab this was? I you said volume 2 but not the actual lab number.
I’m going to try to simulate this.
Hi Tommey,
It was Vol2 lab5, task 6.2
The last statement should match everything because there is no match clause. I don’t have any switches to try on right now though.
This is from the Cisco DOCCD:
“Note If the VLAN map is configured with a match clause for a type of packet (IP or MAC) and the map action is drop, all packets that match the type are dropped. If the VLAN map has no match clause, and the configured action is drop, all IP and Layer 2 packets are dropped.”
Please post if you find anything interesting.
Hi Daniel,
I ran the experiment. In brief, the result I got contradict the results of your experiment. Although, my experiment was slightly different :
R1 R2 R3
| | |
| | |
——SW1——-
R1
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
end
R3
interface FastEthernet0/0
ip address 10.0.0.3 255.255.255.0
duplex auto
speed auto
end
R5
interface FastEthernet0/0
ip address 10.0.0.5 255.255.255.0
duplex auto
speed auto
end
SW1
interface FastEthernet1/0/1
switchport access vlan 2
switchport mode access
end
interface FastEthernet1/0/3
switchport access vlan 2
switchport mode access
end
interface FastEthernet1/0/5
switchport access vlan 2
switchport mode access
end
R1#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 10.0.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
SW1#show mac address-table dynamic vlan 2
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
2 000f.f7d4.9a20 DYNAMIC Fa1/0/3
2 0014.6a16.8960 DYNAMIC Fa1/0/1
2 0024.1499.2462 DYNAMIC Fa1/0/5
Total Mac Addresses for this criterion: 3
Additional configuration applied to SW1 :
access-list 100 permit icmp host 10.0.0.1 any
vlan access-map ICMP_BLOCK 10
action drop
match ip address 100
vlan access-map ICMP_BLOCK 20
action forward
vlan filter ICMP_BLOCK vlan-list 2
R1#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R1#ping 10.0.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R3#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R3#ping 10.0.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R5#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
As expected R1 can’t ping R3 and R5, but R3 and R5 can ping each other. This is as expected.
SW1#show mac address-table dynamic vlan 2
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
2 000f.f7d4.9a20 DYNAMIC Fa1/0/3
2 0014.6a16.8960 DYNAMIC Fa1/0/1
2 0024.1499.2462 DYNAMIC Fa1/0/5
Total Mac Addresses for this criterion: 3
clear mac address-table dynamic vlan 2
SW1#show mac address-table dynamic
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
2 000f.f7d4.9a20 DYNAMIC Fa1/0/3
2 0014.6a16.8960 DYNAMIC Fa1/0/1
2 0024.1499.2462 DYNAMIC Fa1/0/5
Total Mac Addresses for this criterion: 3
When I used the command :
clear mac address-table dynamic vlan 2
The table would repopulate so quickly that I wouldn’t be able to see the – show mac address-table dynamic –
without any entries. So instead I shut down the router interfaces and then issued the command clear mac address-table dynamic vlan 2.
SW1#clear mac address-table dynamic vlan 2
SW1#show mac address-table dynamic vlan 2
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
Just to make doubly sure :
SW1#show mac address-table dynamic
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
Then I unshut all of the routers interface’s.
SW1#show mac address-table dynamic vlan 2
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
2 000f.f7d4.9a20 DYNAMIC Fa1/0/3
2 0014.6a16.8960 DYNAMIC Fa1/0/1
2 0024.1499.2462 DYNAMIC Fa1/0/5
Total Mac Addresses for this criterion: 3
R1#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R1#ping 10.0.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R3#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R3#ping 10.0.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R5#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Layer 2 filtering will not happen if you do not use mac access lists.
Thanks for testing!
But now you have an action forward without a match clause that will match everything. Did you try it like this:
vlan access-map ICMP_BLOCK 10
action forward
match ip address 100
vlan access-map ICMP_BLOCK 20
action drop
vlan filter ICMP_BLOCK vlan-list 2
access-list 100 deny icmp host 10.0.0.1 any
The theory is then that the ICMP traffic will not match first clause and will then be dropped by clause 20. The interesting part is if L2 traffic will get dropped or not. Like you say that if L2 traffic has not been matched it should not be dropped.
Ah ah,
I’ve just re read your article. Basically the implicit deny at the end of a vlan access map will drop both layer 2 and IP traffic. Brilliant!!!! I’ve just learnt something new.
Thanks…. One of those things you want to read and learn on a blog or lab and not in prod haha….
Pingback:Cisco CCNP SWITCH Topics – neckercube.com