tech:network:cisco:acl:pacl:pacl
Table of Contents
Cisco PACL
Blueprint
- CCIE R&S
- Written v5.1
- 5.0 Infrastructure Security
- 5.2 Network security
- 5.2.a [i] VACL, PACL
- 5.2.c [viii] PACL
- Lab v5.0
- 5.0 Infrastructure Security
- 5.2 Network security
- 4.2.a [i] VACL, PACL
- 4.2.c [vii] PACL
PACL Lab
Base Configuration
- SW1
configure terminal ! vtp mode transparent ! vlan 128-129 exit ! ip routing ! spanning-tree portfast default ! interface Vlan 128 ip address 10.0.128.1 255.255.255.0 no shutdown exit interface Vlan 129 ip address 10.0.129.1 255.255.255.0 no shutdown exit interface FastEthernet 1/0/1 switchport mode access switchport access vlan 128 exit interface FastEthernet 1/0/2 switchport mode access switchport access vlan 128 exit interface FastEthernet 1/0/3 switchport mode access switchport access vlan 128 exit interface FastEthernet 1/0/4 no switchport ip address 10.0.129.1 255.255.255.0 no shutdown exit interface FastEthernet 1/0/5 switchport mode access switchport access vlan 128 exit ! end
- R1
configure terminal ! interface FastEthernet 0/0 ip address 10.0.128.101 255.255.255.0 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 10.0.128.1 ! line vty 0 15 privilege level 15 no login exit ! end
- R2
configure terminal ! interface FastEthernet 0/0 ip address 10.0.128.102 255.255.255.0 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 10.0.128.1 ! line vty 0 15 privilege level 15 no login exit ! end
PACL Configuration: MAC Access List
- SW1
configure terminal ! mac access-list extended M-VIDEO ! permit only Intel NIC MAC permit 001b.2100.0000 0000.00ff.ffff any ! permit 0024.c400.0000 0000.00ff.ffff any exit ! interface FastEthernet 1/0/3 mac access-group M-VIDEO in ! end
R2#clear arp-cache R2#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.0.128.102 - 0024.c431.126e ARPA FastEthernet0/0 Internet 10.0.128.254 0 001b.2131.139b ARPA FastEthernet0/0
root@kozue:~# ping 10.0.128.101 PING 10.0.128.101 (10.0.128.101) 56(84) bytes of data. 64 bytes from 10.0.128.101: icmp_seq=1 ttl=255 time=0.949 ms 64 bytes from 10.0.128.101: icmp_seq=2 ttl=255 time=0.996 ms ^C --- 10.0.128.101 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.949/0.972/0.996/0.039 ms root@kozue:~# telnet 10.0.128.101 Trying 10.0.128.101... Connected to 10.0.128.101. Escape character is '^]'. R1#logout Connection closed by foreign host. root@kozue:~# ip neighbor show 10.0.128.102 dev enp1s0f0 lladdr 00:24:c4:31:12:6e STALE 10.0.4.192 dev eno2 lladdr 4c:72:b9:58:0e:e0 REACHABLE 10.0.128.101 dev enp1s0f0 lladdr 00:1b:2a:77:66:d2 REACHABLE 10.0.128.1 dev enp1s0f0 lladdr e8:ed:f3:15:93:c1 STALE 10.0.4.1 dev eno2 lladdr e4:7e:66:30:2a:85 STALE fe80::e67e:66ff:fe30:2a85 dev eno2 lladdr e4:7e:66:30:2a:85 router STALE fe80::1 dev eno2 lladdr e4:7e:66:30:2a:85 router STALE root@kozue:~# ip neighbor del 10.0.128.101 dev enp1s0f0 root@kozue:~# ping 10.0.128.101 PING 10.0.128.101 (10.0.128.101) 56(84) bytes of data. From 10.0.128.254 icmp_seq=1 Destination Host Unreachable From 10.0.128.254 icmp_seq=2 Destination Host Unreachable From 10.0.128.254 icmp_seq=3 Destination Host Unreachable From 10.0.128.254 icmp_seq=4 Destination Host Unreachable From 10.0.128.254 icmp_seq=5 Destination Host Unreachable From 10.0.128.254 icmp_seq=6 Destination Host Unreachable From 10.0.128.254 icmp_seq=7 Destination Host Unreachable From 10.0.128.254 icmp_seq=8 Destination Host Unreachable From 10.0.128.254 icmp_seq=9 Destination Host Unreachable ^C --- 10.0.128.101 ping statistics --- 10 packets transmitted, 0 received, +9 errors, 100% packet loss, time 9199ms pipe 4
access-group mode
Seems Catalyst 3750 IOS not supported this command…
SW1(config)#int f1/0/3 SW1(config-if)#access-group ? % Unrecognized command SW1(config-if)#do sh ver | i IOS Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1) SW1(config-if)#
PACL Configuration: deny all non ip traffic(exclude ARP(0x806))
!!!!!!!INCOMPLETE INFORMATION because my lack of understanding!!!!!!!
- SW10
configure terminal ! mac access-list extended M-STP ! deny STP frame deny any any 0x26 0x0 ! permit ARP protocol permit permit any any exit ! interface FastEthernet 0/1 mac access-group M-STP in ! end
SW1(config)#spanning-tree vlan 128 priority 0
SW1(config)#do sh span
SW1(config)#do sh spanning-tree vlan 128
VLAN0128
Spanning tree enabled protocol ieee
Root ID Priority 128
Address e8ed.f315.9380
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 128 (priority 0 sys-id-ext 128)
Address e8ed.f315.9380
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/3 Desg FWD 19 128.5 P2p
SW10#sh spanning-tree vlan 128
VLAN0128
Spanning tree enabled protocol ieee
Root ID Priority 128
Address e8ed.f315.9380
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32896 (priority 32768 sys-id-ext 128)
Address 0022.bd89.2180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
VACL Lab
Base Configuration
- SW1
configure terminal ! vtp mode transparent ! vlan 128-129 exit ! ip routing ! spanning-tree portfast default ! interface Vlan 128 ip address 10.0.128.1 255.255.255.0 no shutdown exit interface FastEthernet 1/0/1 switchport mode access switchport access vlan 128 exit interface FastEthernet 1/0/2 switchport mode access switchport access vlan 128 exit interface FastEthernet 1/0/3 switchport mode access switchport access vlan 128 exit interface FastEthernet 1/0/4 no switchport ip address 10.0.129.1 255.255.255.0 no shutdown exit interface FastEthernet 1/0/5 switchport mode access switchport access vlan 128 exit ! end
- R1
configure terminal ! interface FastEthernet 0/0 ip address 10.0.128.101 255.255.255.0 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 10.0.128.1 ! line vty 0 15 privilege level 15 no login exit ! end
- R2
configure terminal ! interface FastEthernet 0/0 ip address 10.0.128.102 255.255.255.0 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 10.0.128.1 ! line vty 0 15 privilege level 15 no login exit ! end
VACL Configuration:
- SW1
configure terminal ! mac access-list extended M-ARP ! match ARP R1 -> R2 permit host 001b.2a77.66d2 host 0024.c431.126e 0x806 0x0 exit ! vlan access-map V-MAP 10 match mac address M-ARP action drop exit vlan access-map V-MAP 20 action forward exit ! vlan filter V-MAP vlan-list 128 ! end
R1#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.0.128.1 49 e8ed.f315.93c1 ARPA FastEthernet0/0 Internet 10.0.128.101 - 001b.2a77.66d2 ARPA FastEthernet0/0 Internet 10.0.128.102 9 0024.c431.126e ARPA FastEthernet0/0 Internet 10.0.128.254 6 001b.2131.139b ARPA FastEthernet0/0 R1#clear arp ? A.B.C.D IP address interface Clear the entire ARP cache on the interface vrf Clear entries for a VPN Routing/Forwarding instance <cr> R1#clear arp 10.0.128.101 R1#clear arp 10.0.128.102 R1#clear arp 10.0.128.254 R1#clear arp-cache R1#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.0.128.1 0 e8ed.f315.93c1 ARPA FastEthernet0/0 Internet 10.0.128.101 - 001b.2a77.66d2 ARPA FastEthernet0/0 Internet 10.0.128.254 0 001b.2131.139b ARPA FastEthernet0/0
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#mac acc
SW1(config)#mac access-list exte
SW1(config)#mac access-list extended M-ARP
SW1(config-ext-macl)#permi
SW1(config-ext-macl)#permit hos
SW1(config-ext-macl)#permit host 0024.c431.126e host 001b.2a77.66d2 0x806 0x0
SW1(config-ext-macl)#int f0/0
^
% Invalid input detected at '^' marker.
SW1(config)#int f0/1
^
% Invalid input detected at '^' marker.
SW1(config)#int f1/0/1
SW1(config-if)#vlan acc
SW1(config-if)#vlan acce
SW1(config-if)#exit
SW1(config)#vlan acc
SW1(config)#vlan access-ma
SW1(config)#vlan access-map CV-MAP 10
SW1(config-access-map)#mat
SW1(config-access-map)#match mac
SW1(config-access-map)#match mac add
SW1(config-access-map)#match mac address M-ARP
SW1(config-access-map)#ac
SW1(config-access-map)#action dro
SW1(config-access-map)#action drop
SW1(config-access-map)#exit
SW1(config)#vlan access-map CV-MAP 20
SW1(config-access-map)#mat
SW1(config-access-map)#match mac
SW1(config-access-map)#match mac add
SW1(config-access-map)#acti
SW1(config-access-map)#action for
SW1(config-access-map)#action forward
SW1(config-access-map)#exit
SW1(config)#do sh vlan access-lists
^
% Invalid input detected at '^' marker.
SW1(config)#do sh vlan access-list
^
% Invalid input detected at '^' marker.
SW1(config)#do sh vlan access-map
Vlan access-map "CV-MAP" 10
Match clauses:configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.101 255.255.255.0
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
line vty 0 15
privilege level 15
no login
exit
!
end
mac address: M-ARP
Action:
drop
Vlan access-map "CV-MAP" 20
Match clauses:
Action:
forward
SW1(config)#vlan filter CV-MAP vlan
SW1(config)#vlan filter CV-MAP vlan-list 128
SW1(config)#^Z
SW1#
*Mar 1 01:59:47.812: %SYS-5-CONFIG_I: Configured from console by console
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#no vlan fi
SW1(config)#no vlan filter CV-MAP vlan-list 128
SW1(config)#
R1#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.0.128.1 49 e8ed.f315.93c1 ARPA FastEthernet0/0 Internet 10.0.128.101 - 001b.2a77.66d2 ARPA FastEthernet0/0 Internet 10.0.128.102 9 0024.c431.126e ARPA FastEthernet0/0 Internet 10.0.128.254 6 001b.2131.139b ARPA FastEthernet0/0 R1#clear arp ? A.B.C.D IP address interface Clear the entire ARP cache on the interface vrf Clear entries for a VPN Routing/Forwarding instance <cr> R1#clear arp 10.0.128.101 R1#clear arp 10.0.128.102 R1#clear arp 10.0.128.254 R1#clear arp-cache R1#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.0.128.1 0 e8ed.f315.93c1 ARPA FastEthernet0/0 Internet 10.0.128.101 - 001b.2a77.66d2 ARPA FastEthernet0/0 Internet 10.0.128.254 0 001b.2131.139b ARPA FastEthernet0/0 R1#ping 10.0.128.102 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1#ping 10.0.128.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.128.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R1#ping 10.0.129.192 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.129.192, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R1#ping 10.0.128.102 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds: .. Success rate is 0 percent (0/2) R1#ping 10.0.128.102 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms R1#ping 10.0.128.102 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
clear specific interface arp cache for lab
shutdown no shutdown
permit host 001b.2a77.66d2 host 001b.2131.139b 0x806 0x0
*Sep 7 02:24:12.051: IP ARP: creating incomplete entry for IP address: 10.0.128.254 interface FastEthernet0/0
*Sep 7 02:24:12.051: IP ARP: sent req src 10.0.128.101 001b.2a77.66d2,
dst 10.0.128.254 0000.0000.0000 FastEthernet0/0
*Sep 7 02:24:12.051: IP ARP: rcvd rep src 10.0.128.254 001b.2131.139b, dst 10.0.128.101 FastEthernet0/0.!!!!!!!!!!!!!!!
Solved: Incomplete ARP - Cisco Community
rebooting R1
still pingable…
i delete following
no permit host 001b.2a77.66d2 host 001b.2131.139b 0x806 0x0
arp and ping fail
deny any any
successfull
may following wrong. following unicast mac arp is not appeard normal.
permit host 001b.2a77.66d2 host 001b.2131.139b 0x806 0x0
following arp broadcast is successful.
permit host 001b.2a77.66d2 any 0x806 0x0
aaaaa……. reverse acl rule. arp reply is unicast mac.
permit host 001b.2131.139b host 001b.2a77.66d2 0x806 0x0
R1#ping 10.0.128.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.128.254, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1#ping 10.0.128.102 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms R1#ping 10.0.128.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.128.254, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1#ping 10.0.128.102 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.128.102, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1#
Layer2 technology is horrible…
References
tech/network/cisco/acl/pacl/pacl.txt · Last modified: 2019/09/07 15:32 by wnoguchi
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
