So I'm working on this lab and I'm having some issues actually making this work
as it should. The task in question is asking that we "configure R8 to only
allow packets destined to 100.100.200.0/24 that were originated by users in the
f0/0 (100.100.200.0/24) LAN".
We can solve this in one of two ways using either the older reflexive access
lists or CBAC. For this particular task I'm going with the reflexive ACL and
not CBAC. Also note that this is my home lab and so the Fast Ethernet
interfaces are actually just Ethernet interfaces for me.
Here are the commands i configured for the task
ip access-list extended TASK17.3_TRUST
permit ip 100.100.200.0 0.0.0.255 any reflect STUFF
int e0/0
ip access-group TASK17.3_TRUST in
ip access-list extended TASK17.3_NOTRUST
evaluate STUFF
deny ip any any
int e0/0
ip access-group TASK17.3_NOTRUST out
However the issue I'm facing is that I can't get it to work. To verify this
task I created an SVI on Cat2 for VLAN 200
Int vlan 200
Ip address 100.100.200.12 255.255.255.0
I'm going to start over by removing my ACL's and try this again, hopefully you
can follow and help me out here
First I will remove the ACL's from the e0/0 interface on R8
R8(config-ext-nacl)#int e0/0
R8(config-if)# no ip access-group TASK17.3_TRUST in
R8(config-if)# no ip access-group TASK17.3_NOTRUST out
and now we will attempt to ping and telnet from R7 over to Cat2
R7(config-line)#do ping 100.100.200.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.200.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 m
And telnet?
R7(config-line)#do telnet 100.100.200.12
Trying 100.100.200.12 ... Open
Cat3560-2>
So it works with the ACL's removed. Now I'm going to put them back and add the
keyword "log" after the deny statement and see what happens.
R8(config-if)# ip access ext TASK17.3_NOTRUST
R8(config-ext-nacl)#20 deny ip any any log
R8(config-ext-nacl)#int e0/0
R8(config-if)# ip access-group TASK17.3_NOTRUST out
R8(config-if)# ip access-group TASK17.3_TRUST in
Let's attempt another ping from R7 to Cat2 so we can make sure that the deny
matches are incrementing
R7(config-line)#do ping 100.100.200.12
U.U.U
R8(config)#do sh ip access TASK17.3_NOTRUST
Extended IP access list TASK17.3_NOTRUST
10 evaluate STUFF
20 deny ip any any log (5 matches)
OK cool. Now let's run yet another ping from Cat2 to R7 which should succeed,
this should also create a dynamic entry in the relexive ACL we named "STUFF"
Cat3560-2(config)#do ping 150.100.78.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.100.78.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/25 ms
Ping is good let's verify the dynamic entry on R8
R8(config)#do sh ip access STUFF
Reflexive IP access list STUFF
permit icmp host 150.100.78.7 host 100.100.200.12 (19 matches) (time left
263)
This statement clearly shows that ICMP packets sourced from 150.100.78.7 should
make it all the way over to Cat2 100.100.200.12, but do they?
R7(config-line)#do ping 100.100.200.12 source 150.100.78.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.200.12, timeout is 2 seconds:
Packet sent with a source address of 150.100.78.7
U.U.U
Success rate is 0 percent (0/5)
NOPE! Let's check R8 and see if the deny matches have incremented
R8(config)#do sh ip access TASK17.3_NOTRUST
Extended IP access list TASK17.3_NOTRUST
10 evaluate STUFF
20 deny ip any any log (15 matches)
and the debug output
*Mar 1 10:24:22.889: IP: s=150.100.78.7 (Serial0/0), d=100.100.200.12
(Ethernet0/0), len 100, access denied
Sure enough they are still being blocked, almost as if R8 is NOT evaluating
"STUFF"? I mean the routes are good and it's sending it out and even with the
"evaluate" key word and the correct dynamic entry I'm still being denied. We
know teh routes are good as you can see in the debugs as well as what shows up
in the route table and FIB
R7(config-line)#do sh ip route 100.100.200.12
Routing entry for 100.100.200.0/24
Known via "ospf 1", distance 110, metric 791, type intra area
Last update from 150.100.78.8 on Serial0/0, 06:41:34 ago
Routing Descriptor Blocks:
* 150.100.78.8, from 200.0.0.8, 06:41:34 ago, via Serial0/0
Route metric is 791, traffic share count is 1
R7(config-line)#do sh ip cef 100.100.200.12
100.100.200.0/24, version 102, epoch 0, cached adjacency to Serial0/0
0 packets, 0 bytes
via 150.100.78.8, Serial0/0, 0 dependencies
next hop 150.100.78.8, Serial0/0
valid cached adjacency
Here is my latest config for your review
Reflexive IP access list STUFF
Extended IP access list TASK17.3_NOTRUST
10 evaluate STUFF
20 deny ip any any
Extended IP access list TASK17.3_TRUST
10 permit ip any any reflect STUFF
interface Ethernet0/0
ip address 100.100.200.8 255.255.255.0
ip access-group TASK17.3_TRUST in
ip access-group TASK17.3_NOTRUST out
I obviously can't call this task good and done if it doesn't work!!!
Any thoughts or ideas for me??
- Steve
UHS Confidentiality Notice: This e-mail message, including any attachments, is
for the sole use of the intended recipient (s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution of this information is prohibited. If this was sent to you in
error, please notify the sender by reply e-mail and destroy all copies of the
original message._______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
