Filtering traffic initiated from cisco router

Published:
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple situation with R2 connected to SW1 and SW1 allowing only pinging Ethernet interface of R2, not loopback interface

10.0.2.2---R2--192.168.1.2----------------------------192.168.1.1--SW1---10.0.1.1

SW1#sh ip int b | ex un
                      Interface                  IP-Address      OK? Method Status                Protocol
                      FastEthernet1/2            192.168.1.1     YES manual up                    up  
                      Loopback0                  10.0.1.1        YES manual up                    up  
                      R2#sh ip int b | ex un
                      Interface                  IP-Address      OK? Method Status                Protocol
                      FastEthernet0/0            192.168.1.2     YES manual up                    up  
                      Loopback0                  10.0.2.2        YES manual up                    up  

Open in new window


ACL on SW1 (number 100 in this case) should be enough to achieve this, for example:

access-list 100 permit ip any 192.168.1.0 0.0.0.255
access-list 100 deny   ip any any

Let’s apply it to int f1/2 of SW1 which is connected to f0/0 of R2

SW1#sh run int f1/2
                      Building configuration...
                      Current configuration : 111 bytes
                      !
                      interface FastEthernet1/2
                       no switchport
                       ip address 192.168.1.1 255.255.255.0
                       ip access-group 100 out
                      end

Open in new window


Now let’s check if ping from SW1 to R2 loopback 0 is blocked:

SW1#ping 10.0.2.2
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
                      !!!!!
                      Success rate is 100 percent (5/5), round-trip min/avg/max = 8/43/108 ms

Open in new window


It’s not, why ? The reason is that access list doesn’t apply to traffic initiated from the router itself. So how to test such access list if there is no access to anything behind SW1 ? In order to test it traffic has to  re-enter the router which can be achieved by introducing ‘ip local policy routing’. Let’s start from creating appropriate route-map ‘FILTER’ for traffic initiated from SW1:  

SW1#sh run | section route-map
                      ip local policy route-map FILTER
                      route-map FILTER permit 10
                       match ip address 111
                       set interface Loopback0

Open in new window


SW1#sh run | section access-list 111
access-list 100 permit ip any 192.168.1.0 0.0.0.255
 
The new policy ‘FILTER’ have to be applied to SW1:

Ip local policy route-map FILTER

Now ping R2 loopback 0 again from SW1

SW1#ping 10.0.2.2
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
                      U.U.U
                      Success rate is 0 percent (0/5)

Open in new window


This is time traffic was blocked, let’s see ACL counters:

SW1#sh access-lists
                      Extended IP access list 100
                          10 permit ip any 192.168.1.0 0.0.0.255
                          20 deny ip any any (5 matches)
                      Extended IP access list 111
                          10 permit ip host 192.168.1.1 any (5 matches)

Open in new window


And double check ip policy turning the debug on:
 
SW1#debug ip policy
                      Policy routing debugging is on
                      SW1#ping 10.0.2.2
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
                      U
                      *Mar  1 00:35:25.023: IP: s=192.168.1.1 (local), d=10.0.2.2, len 100, policy mat                                                                                        ch
                      *Mar  1 00:35:25.027: IP: route map FILTER, item 10, permit
                      *Mar  1 00:35:25.027: IP: s=192.168.1.1 (local), d=10.0.2.2 (Loopback0), len 100                                                                                        , policy routed
                      *Mar  1 00:35:25.031: IP: local to Loopback0 192.168.1.2
                      *Mar  1 00:35:25.047: IP: s=192.168.1.1 (local), d=10.0.2.2, len 100, policy mat                                                                                        ch
                      *Mar  1 00:35:25.051: IP: route map FILTER, item 10, permit
                      *Mar  1 00:35:25.051: IP: s=192.168.1.1 (local), d=10.0.2.2 (Loopback0), len 100                                                                                        , policy routed
                      *Mar  1 00:35:25.055: IP: local to Loopback0 192.168.1.2.U
                      *Mar  1 00:35:27.047: IP: s=192.168.1.1 (local), d=10.0.2.2, len 100, policy mat                                                                                        ch
                      *Mar  1 00:35:27.051: IP: route map FILTER, item 10, permit
                      *Mar  1 00:35:27.051: IP: s=192.168.1.1 (local), d=10.0.2.2 (Loopback0), len 100                                                                                        , policy routed
                      *Mar  1 00:35:27.055: IP: local to Loopback0 192.168.1.2
                      *Mar  1 00:35:27.071: IP: s=192.168.1.1 (local), d=10.0.2.2, len 100, policy mat                                                                                        ch
                      *Mar  1 00:35:27.075: IP: route map FILTER, item 10, permit
                      *Mar  1 00:35:27.075: IP: s=192.168.1.1 (local), d=10.0.2.2 (Loopback0), len 100                                                                                        , policy routed
                      *Mar  1 00:35:27.079: IP: local to Loopback0 192.168.1.2.U
                      Success rate is 0 percent (0/5)
                      SW1#
                      *Mar  1 00:35:29.071: IP: s=192.168.1.1 (local), d=10.0.2.2, len 100, policy mat                                                                                        ch
                      *Mar  1 00:35:29.075: IP: route map FILTER, item 10, permit
                      *Mar  1 00:35:29.075: IP: s=192.168.1.1 (local), d=10.0.2.2 (Loopback0), len 100                                                                                        , policy routed
                      *Mar  1 00:35:29.079: IP: local to Loopback0 192.168.1.2
                      SW1#

Open in new window


 I think it’s a good way to test access list on the router.

 

0
7,038 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.