User Tools

Site Tools


tech:network:cisco:acl:pacl:pacl

Cisco PACL

Blueprint

  • CCIE R&S
    • Written v5.1
      • 5.0 Infrastructure Security
        • 5.2 Network security
          • 5.2.a [i] VACL, PACL
          • 5.2.c [viii] PACL
    • Lab v5.0
      • 5.0 Infrastructure Security
        • 5.2 Network security
          • 4.2.a [i] VACL, PACL
          • 4.2.c [vii] PACL

PACL Lab

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128-129
exit
!
ip routing
!
spanning-tree portfast default
!
interface Vlan 128
 ip address 10.0.128.1 255.255.255.0
 no shutdown
exit
interface Vlan 129
 ip address 10.0.129.1 255.255.255.0
 no shutdown
exit
interface FastEthernet 1/0/1
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/2
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/4
 no switchport
 ip address 10.0.129.1 255.255.255.0
 no shutdown
exit
interface FastEthernet 1/0/5
 switchport mode access
 switchport access vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.101 255.255.255.0
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
line vty 0 15
 privilege level 15
 no login
exit
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
line vty 0 15
 privilege level 15
 no login
exit
!
end

PACL Configuration: MAC Access List

  • SW1
configure terminal
!
mac access-list extended M-VIDEO
 ! permit only Intel NIC MAC
 permit 001b.2100.0000 0000.00ff.ffff any
 ! permit 0024.c400.0000 0000.00ff.ffff any
exit
!
interface FastEthernet 1/0/3
 mac access-group M-VIDEO in
!
end
R2#clear arp-cache 
R2#sh arp          
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.128.102            -   0024.c431.126e  ARPA   FastEthernet0/0
Internet  10.0.128.254            0   001b.2131.139b  ARPA   FastEthernet0/0
root@kozue:~# ping 10.0.128.101
PING 10.0.128.101 (10.0.128.101) 56(84) bytes of data.
64 bytes from 10.0.128.101: icmp_seq=1 ttl=255 time=0.949 ms
64 bytes from 10.0.128.101: icmp_seq=2 ttl=255 time=0.996 ms
^C
--- 10.0.128.101 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.949/0.972/0.996/0.039 ms
root@kozue:~# telnet 10.0.128.101
Trying 10.0.128.101...
Connected to 10.0.128.101.
Escape character is '^]'.
R1#logout
Connection closed by foreign host.
root@kozue:~# ip neighbor show
10.0.128.102 dev enp1s0f0 lladdr 00:24:c4:31:12:6e STALE
10.0.4.192 dev eno2 lladdr 4c:72:b9:58:0e:e0 REACHABLE
10.0.128.101 dev enp1s0f0 lladdr 00:1b:2a:77:66:d2 REACHABLE
10.0.128.1 dev enp1s0f0 lladdr e8:ed:f3:15:93:c1 STALE
10.0.4.1 dev eno2 lladdr e4:7e:66:30:2a:85 STALE
fe80::e67e:66ff:fe30:2a85 dev eno2 lladdr e4:7e:66:30:2a:85 router STALE
fe80::1 dev eno2 lladdr e4:7e:66:30:2a:85 router STALE
root@kozue:~# ip neighbor del 10.0.128.101 dev enp1s0f0
root@kozue:~# ping 10.0.128.101
PING 10.0.128.101 (10.0.128.101) 56(84) bytes of data.
From 10.0.128.254 icmp_seq=1 Destination Host Unreachable
From 10.0.128.254 icmp_seq=2 Destination Host Unreachable
From 10.0.128.254 icmp_seq=3 Destination Host Unreachable
From 10.0.128.254 icmp_seq=4 Destination Host Unreachable
From 10.0.128.254 icmp_seq=5 Destination Host Unreachable
From 10.0.128.254 icmp_seq=6 Destination Host Unreachable
From 10.0.128.254 icmp_seq=7 Destination Host Unreachable
From 10.0.128.254 icmp_seq=8 Destination Host Unreachable
From 10.0.128.254 icmp_seq=9 Destination Host Unreachable
^C
--- 10.0.128.101 ping statistics ---
10 packets transmitted, 0 received, +9 errors, 100% packet loss, time 9199ms
pipe 4

access-group mode

Seems Catalyst 3750 IOS not supported this command…

SW1(config)#int f1/0/3
SW1(config-if)#access-group ?
% Unrecognized command
SW1(config-if)#do sh ver | i IOS
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1)
SW1(config-if)#

PACL Configuration: deny all non ip traffic(exclude ARP(0x806))

!!!!!!!INCOMPLETE INFORMATION because my lack of understanding!!!!!!!

  • SW10
configure terminal
!
mac access-list extended M-STP
 ! deny STP frame
 deny any any 0x26 0x0
 ! permit ARP protocol
 permit permit any any
exit
!
interface FastEthernet 0/1
 mac access-group M-STP in
!
end
SW1(config)#spanning-tree vlan 128 priority 0   
SW1(config)#do sh span
SW1(config)#do sh spanning-tree vlan 128

VLAN0128
  Spanning tree enabled protocol ieee
  Root ID    Priority    128
             Address     e8ed.f315.9380
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    128    (priority 0 sys-id-ext 128)
             Address     e8ed.f315.9380
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  15  sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/3             Desg FWD 19        128.5    P2p 


SW10#sh spanning-tree vlan 128

VLAN0128
  Spanning tree enabled protocol ieee
  Root ID    Priority    128
             Address     e8ed.f315.9380
             Cost        19
             Port        1 (FastEthernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32896  (priority 32768 sys-id-ext 128)
             Address     0022.bd89.2180
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Root FWD 19        128.1    P2p 

VACL Lab

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128-129
exit
!
ip routing
!
spanning-tree portfast default
!
interface Vlan 128
 ip address 10.0.128.1 255.255.255.0
 no shutdown
exit
interface FastEthernet 1/0/1
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/2
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/4
 no switchport
 ip address 10.0.129.1 255.255.255.0
 no shutdown
exit
interface FastEthernet 1/0/5
 switchport mode access
 switchport access vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.101 255.255.255.0
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
line vty 0 15
 privilege level 15
 no login
exit
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
line vty 0 15
 privilege level 15
 no login
exit
!
end

VACL Configuration:

  • SW1
configure terminal
!
mac access-list extended M-ARP
 ! match ARP R1 -> R2
 permit host 001b.2a77.66d2 host 0024.c431.126e 0x806 0x0
exit
!
vlan access-map V-MAP 10
 match mac address M-ARP
 action drop
exit
vlan access-map V-MAP 20
 action forward
exit
!
vlan filter V-MAP vlan-list 128
!
end
R1#sh arp           
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.128.1             49   e8ed.f315.93c1  ARPA   FastEthernet0/0
Internet  10.0.128.101            -   001b.2a77.66d2  ARPA   FastEthernet0/0
Internet  10.0.128.102            9   0024.c431.126e  ARPA   FastEthernet0/0
Internet  10.0.128.254            6   001b.2131.139b  ARPA   FastEthernet0/0
R1#clear arp ?
  A.B.C.D    IP address
  interface  Clear the entire ARP cache on the interface
  vrf        Clear entries for a VPN Routing/Forwarding instance
  <cr>

R1#clear arp 10.0.128.101
R1#clear arp 10.0.128.102
R1#clear arp 10.0.128.254
R1#clear arp-cache       
R1#sh arp                
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.128.1              0   e8ed.f315.93c1  ARPA   FastEthernet0/0
Internet  10.0.128.101            -   001b.2a77.66d2  ARPA   FastEthernet0/0
Internet  10.0.128.254            0   001b.2131.139b  ARPA   FastEthernet0/0
SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#mac acc
SW1(config)#mac access-list exte
SW1(config)#mac access-list extended M-ARP
SW1(config-ext-macl)#permi
SW1(config-ext-macl)#permit hos
SW1(config-ext-macl)#permit host 0024.c431.126e host 001b.2a77.66d2 0x806 0x0
SW1(config-ext-macl)#int f0/0
                          ^
% Invalid input detected at '^' marker.

SW1(config)#int f0/1
                 ^
% Invalid input detected at '^' marker.

SW1(config)#int f1/0/1
SW1(config-if)#vlan acc
SW1(config-if)#vlan acce
SW1(config-if)#exit     
SW1(config)#vlan acc
SW1(config)#vlan access-ma
SW1(config)#vlan access-map CV-MAP 10
SW1(config-access-map)#mat
SW1(config-access-map)#match mac
SW1(config-access-map)#match mac add
SW1(config-access-map)#match mac address M-ARP
SW1(config-access-map)#ac
SW1(config-access-map)#action dro
SW1(config-access-map)#action drop 
SW1(config-access-map)#exit  
SW1(config)#vlan access-map CV-MAP 20
SW1(config-access-map)#mat
SW1(config-access-map)#match mac
SW1(config-access-map)#match mac add
SW1(config-access-map)#acti              
SW1(config-access-map)#action for
SW1(config-access-map)#action forward 
SW1(config-access-map)#exit
SW1(config)#do sh vlan access-lists
                               ^
% Invalid input detected at '^' marker.

SW1(config)#do sh vlan access-list 
                               ^
% Invalid input detected at '^' marker.

SW1(config)#do sh vlan access-map 
Vlan access-map "CV-MAP"  10
  Match clauses:configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.101 255.255.255.0
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
line vty 0 15
 privilege level 15
 no login
exit
!
end

    mac address: M-ARP
  Action:
    drop
Vlan access-map "CV-MAP"  20
  Match clauses:
  Action:
    forward
SW1(config)#vlan filter CV-MAP vlan 
SW1(config)#vlan filter CV-MAP vlan-list 128
SW1(config)#^Z
SW1#
*Mar  1 01:59:47.812: %SYS-5-CONFIG_I: Configured from console by console
SW1#conf t   
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#no vlan fi
SW1(config)#no vlan filter CV-MAP vlan-list 128
SW1(config)#
R1#sh arp           
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.128.1             49   e8ed.f315.93c1  ARPA   FastEthernet0/0
Internet  10.0.128.101            -   001b.2a77.66d2  ARPA   FastEthernet0/0
Internet  10.0.128.102            9   0024.c431.126e  ARPA   FastEthernet0/0
Internet  10.0.128.254            6   001b.2131.139b  ARPA   FastEthernet0/0
R1#clear arp ?
  A.B.C.D    IP address
  interface  Clear the entire ARP cache on the interface
  vrf        Clear entries for a VPN Routing/Forwarding instance
  <cr>

R1#clear arp 10.0.128.101
R1#clear arp 10.0.128.102
R1#clear arp 10.0.128.254
R1#clear arp-cache       
R1#sh arp                
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.128.1              0   e8ed.f315.93c1  ARPA   FastEthernet0/0
Internet  10.0.128.101            -   001b.2a77.66d2  ARPA   FastEthernet0/0
Internet  10.0.128.254            0   001b.2131.139b  ARPA   FastEthernet0/0
R1#ping 10.0.128.102
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 10.0.128.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 10.0.129.192
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.129.192, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 10.0.128.102
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
R1#ping 10.0.128.102
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 10.0.128.102
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

clear specific interface arp cache for lab

shutdown
no shutdown
permit host 001b.2a77.66d2 host 001b.2131.139b 0x806 0x0
*Sep  7 02:24:12.051: IP ARP: creating incomplete entry for IP address: 10.0.128.254 interface FastEthernet0/0
*Sep  7 02:24:12.051: IP ARP: sent req src 10.0.128.101 001b.2a77.66d2,
                 dst 10.0.128.254 0000.0000.0000 FastEthernet0/0
*Sep  7 02:24:12.051: IP ARP: rcvd rep src 10.0.128.254 001b.2131.139b, dst 10.0.128.101 FastEthernet0/0.!!!!!!!!!!!!!!!

Solved: Incomplete ARP - Cisco Community

rebooting R1

still pingable…

i delete following

no permit host 001b.2a77.66d2 host 001b.2131.139b 0x806 0x0

arp and ping fail

deny any any

successfull

may following wrong. following unicast mac arp is not appeard normal.

permit host 001b.2a77.66d2 host 001b.2131.139b 0x806 0x0

following arp broadcast is successful.

permit host 001b.2a77.66d2 any 0x806 0x0

aaaaa……. reverse acl rule. arp reply is unicast mac.

permit host 001b.2131.139b host 001b.2a77.66d2 0x806 0x0
R1#ping 10.0.128.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 10.0.128.102
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 10.0.128.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 10.0.128.102
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

Layer2 technology is horrible…

References

tech/network/cisco/acl/pacl/pacl.txt · Last modified: 2019/09/07 15:32 by wnoguchi