CCIE Pursuit Blog

August 10, 2008

Internetwork Expert Volume II: Lab 5 – Section 8

Section 8 – Security – 6 Points

8.1 Traffic Filtering

Allow ICMP, UPD, and TCP traffic originated from inside the network to go out to and back from r4 to BB3.  We also need to allow r4 to ping and telnet to BB3.  That’s going to need a reflexive ACL. Filter everything else except the routing protocols (RIP and BGP) between r4 and BB3.

This is 3 points that I would definitely skip in the lab.  Breaking connectivity to a backbone device could end up costing you $1500.  🙂

r4(config)#ip access-l ex IN_FROM_BB3
r4(config-ext-nacl)#perm icmp any any echo-reply
r4(config-ext-nacl)#perm tcp any eq telnet any ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections  
r4(config-ext-nacl)#perm tcp any eq telnet any established
4(config-ext-nacl)#permit tcp any any eq bgp
r4(config-ext-nacl)#permit tcp any eq bgp any  <- I usually forget this 😦
r4(config-ext-nacl)#permit udp any any eq rip
r4(config-ext-nacl)#evaluate REFLEXIVE

r4(config-ext-nacl)#ip access-list ex OUT_TO_BB3
r4(config-ext-nacl)#perm tcp any any reflect REFLEXIVE
r4(config-ext-nacl)#perm udp any any reflect REFLEXIVE
r4(config-ext-nacl)#perm icmp any any reflect REFLEXIVE

r4(config-ext-nacl)#int fa0/0
r4(config-if)#ip access-group IN_FROM_BB3 in
r4(config-if)#ip access-group OUT_TO_BB3 out

This is the first time that I’ve actually seen an “A” on a traceroute:


Type escape sequence to abort.
Tracing the route to

  1 !A  *  !A

A = Administratively unreachable.  Usually, this output means that an access list is blocking traffic.

8.2 DoS Prevention

“…configure r1 and r6 to not receive any ICMP echo request sourced from the network inbound on their interfaces attached to VLAN 162.”
“Do not apply any configuration on either r1 or r6 to accomplish this.”

r1 and r6 connect to BB2 on an Ethernet connection.  If we can’t configure r1 or r6 then we must need to configure the switch port connected to BB2 (sw2 fa0/24).

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

Sweet.  So I set up my ACL:

sw2(config)#do sh run | i 182
access-list 182 permit tcp

and then I tried to enable TCP Intercept:

sw2(config)#ip tcp intercept list 182
% Invalid input detected at ‘^’ marker.

sw2(config)#ip tcp ?
  async-mobility      Configure async-mobility
  chunk-size          TCP chunk size
  mss                 TCP initial maximum segment size
  path-mtu-discovery  Enable path-MTU discovery on new TCP connections
  queuemax            Maximum queue of outgoing TCP packets
  selective-ack       Enable TCP selective-ACK
  synwait-time        Set time to wait on new TCP connections
  timestamp           Enable TCP timestamp option
  window-size         TCP window size

Great.  This is not available on the 3560.

Ummm…it turns out that I needed to read the tasks closer.  I keyed in on DoS prevention and forgot that I was just supposed to filter ICMP echo requests.  🙂

Starting over – this looks like a simple VACL task.  Just drop ICMP echo requests from a specific network for VLAN 162.

Configuring VLAN Maps

First match the traffic that we want to drop (VACL use a logic similar to route-maps):

sw2(config)#access-list 182 permit icmp any echo

Now build the VACL:

sw2(config)#vlan access-map TASK_8_2
sw2(config-access-map)#match ip add 182
sw2(config-access-map)#action drop

Remember to include a statement to forward all other traffic:

sw2(config)#vlan access-map TASK_8_2 1000
sw2(config-access-map)#action forward

Now just add the VACL to the VLAN with the ‘vlan filter’ command. Don’t do this:

sw2(config)#flanfilter TASK_8_2 vlan-list 162
% Unrecognized command

It’s sad that the IOS does not know about the tasty dessert that is flan, but the IOS does not get out much.  🙂

sw2(config)#vlan filter TASK_8_2 vlan-list 162

sw2#sh vlan access-map
Vlan access-map “TASK_8_2”  10
  Match clauses:
    ip  address: 182
Vlan access-map “TASK_8_2”  1000
  Match clauses:

sw2#sh vlan filter
VLAN Map TASK_8_2 is filtering VLANs:

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

%d bloggers like this: