<

Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x

Filtering traffic initiated from cisco router

Published on
11,930 Points
5,930 Views
Last Modified:
Approved
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple situation with R2 connected to SW1 and SW1 allowing only pinging Ethernet interface of R2, not loopback interface

10.0.2.2---R2--192.168.1.2----------------------------192.168.1.1--SW1---10.0.1.1

SW1#sh ip int b | ex un
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet1/2            192.168.1.1     YES manual up                    up  
Loopback0                  10.0.1.1        YES manual up                    up  
R2#sh ip int b | ex un
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.2     YES manual up                    up  
Loopback0                  10.0.2.2        YES manual up                    up  

Open in new window


ACL on SW1 (number 100 in this case) should be enough to achieve this, for example:

access-list 100 permit ip any 192.168.1.0 0.0.0.255
access-list 100 deny   ip any any

Let’s apply it to int f1/2 of SW1 which is connected to f0/0 of R2

SW1#sh run int f1/2
Building configuration...
Current configuration : 111 bytes
!
interface FastEthernet1/2
 no switchport
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 out
end

Open in new window


Now let’s check if ping from SW1 to R2 loopback 0 is blocked:

SW1#ping 10.0.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/43/108 ms

Open in new window


It’s not, why ? The reason is that access list doesn’t apply to traffic initiated from the router itself. So how to test such access list if there is no access to anything behind SW1 ? In order to test it traffic has to  re-enter the router which can be achieved by introducing ‘ip local policy routing’. Let’s start from creating appropriate route-map ‘FILTER’ for traffic initiated from SW1:  

SW1#sh run | section route-map
ip local policy route-map FILTER
route-map FILTER permit 10
 match ip address 111
 set interface Loopback0

Open in new window


SW1#sh run | section access-list 111
access-list 100 permit ip any 192.168.1.0 0.0.0.255
 
The new policy ‘FILTER’ have to be applied to SW1:

Ip local policy route-map FILTER

Now ping R2 loopback 0 again from SW1

SW1#ping 10.0.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

Open in new window


This is time traffic was blocked, let’s see ACL counters:

SW1#sh access-lists
Extended IP access list 100
    10 permit ip any 192.168.1.0 0.0.0.255
    20 deny ip any any (5 matches)
Extended IP access list 111
    10 permit ip host 192.168.1.1 any (5 matches)

Open in new window


And double check ip policy turning the debug on:
 
SW1#debug ip policy
Policy routing debugging is on
SW1#ping 10.0.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
U
*Mar  1 00:35:25.023: IP: s=192.168.1.1 (local), d=10.0.2.2, len 100, policy mat                                                                                        ch
*Mar  1 00:35:25.027: IP: route map FILTER, item 10, permit
*Mar  1 00:35:25.027: IP: s=192.168.1.1 (local), d=10.0.2.2 (Loopback0), len 100                                                                                        , policy routed
*Mar  1 00:35:25.031: IP: local to Loopback0 192.168.1.2
*Mar  1 00:35:25.047: IP: s=192.168.1.1 (local), d=10.0.2.2, len 100, policy mat                                                                                        ch
*Mar  1 00:35:25.051: IP: route map FILTER, item 10, permit
*Mar  1 00:35:25.051: IP: s=192.168.1.1 (local), d=10.0.2.2 (Loopback0), len 100                                                                                        , policy routed
*Mar  1 00:35:25.055: IP: local to Loopback0 192.168.1.2.U
*Mar  1 00:35:27.047: IP: s=192.168.1.1 (local), d=10.0.2.2, len 100, policy mat                                                                                        ch
*Mar  1 00:35:27.051: IP: route map FILTER, item 10, permit
*Mar  1 00:35:27.051: IP: s=192.168.1.1 (local), d=10.0.2.2 (Loopback0), len 100                                                                                        , policy routed
*Mar  1 00:35:27.055: IP: local to Loopback0 192.168.1.2
*Mar  1 00:35:27.071: IP: s=192.168.1.1 (local), d=10.0.2.2, len 100, policy mat                                                                                        ch
*Mar  1 00:35:27.075: IP: route map FILTER, item 10, permit
*Mar  1 00:35:27.075: IP: s=192.168.1.1 (local), d=10.0.2.2 (Loopback0), len 100                                                                                        , policy routed
*Mar  1 00:35:27.079: IP: local to Loopback0 192.168.1.2.U
Success rate is 0 percent (0/5)
SW1#
*Mar  1 00:35:29.071: IP: s=192.168.1.1 (local), d=10.0.2.2, len 100, policy mat                                                                                        ch
*Mar  1 00:35:29.075: IP: route map FILTER, item 10, permit
*Mar  1 00:35:29.075: IP: s=192.168.1.1 (local), d=10.0.2.2 (Loopback0), len 100                                                                                        , policy routed
*Mar  1 00:35:29.079: IP: local to Loopback0 192.168.1.2
SW1#

Open in new window


 I think it’s a good way to test access list on the router.

 

0
Comment
Author:irom77
0 Comments

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Join & Write a Comment

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month