​

While doing a vol2 lab I got stumped by one of the tasks in the lab.
The task was to filter ICMP packets coming from the backbone destined
to a network on the internal routers. The topology looks like this.

 

We need to filter ICMP packets from BB2 but we may not apply this on
R1 and/or R6. We are of course not allowed to do any changes in the
backbone either. So what is left? We have an Ethernet segment connecting
the routers together, they are all connected to a switch. This means
that we can apply a VLAN filter. VLAN filters are good for filtering
traffic that does not leave the VLAN. For traffic crossing network
boundaries we can use regular ACL’s but they won’t work for intra VLAN
traffic.

The configuration is pretty straight forward and has a lot of resemblance
to a route-map.

 

First we create a VLAN access-map.

 

Rack24SW2(config)#vlan access-map ICMP_FILTER 10
Rack24SW2(config-access-map)#action drop
Rack24SW2(config-access-map)#match ip address 100
Rack24SW2(config-access-map)#exit
Rack24SW2(config)#vlan access-map ICMP_FILTER 20
Rack24SW2(config-access-map)#action forward
Rack24SW2(config-access-map)#exit

 

We want to drop traffic when there is a match in access-list 100. If there is
not a match permit the traffic.

 

Then we create the access-list.

 

Rack24SW2(config)#access-list 100 permit icmp 205.90.31.0 0.0.0.255 any echo

 

The 205.90.31.0/24 network is one of the backbone networks but the addressing is
not what’s important here.

 

Then we need to apply the filter to the VLANs that should be filtered.

 

Rack24SW2(config)#vlan filter ICMP_FILTER vlan-list 162

 

We have a few show commands that will show us what filters are in use.

 

Rack24SW2#show vlan filter

 

VLAN Map ICMP_FILTER is filtering VLANs: 162

​

Rack24SW2#show vlan filter vlan 162

 

Vlan 162 has filter ICMP_FILTER.

​

Rack24SW2#show vlan filter access-map ICMP_FILTER

​

VLAN Map ICMP_FILTER is filtering VLANs: 162

 

In this configuration we permitted the traffic that should be dropped in an ACL. Could we
have done the reverse? An alternate solution is to make an action of forward and then
deny the ICMP traffic. Lets look at this.

 

Rack24SW2(config)#vlan access-map ICMP_FILTER 10
Rack24SW2(config-access-map)#action forward
Rack24SW2(config-access-map)#match ip address 100
Rack24SW2(config-access-map)#exit
Rack24SW2(config)#vlan access-map ICMP_FILTER 20
Rack24SW2(config-access-map)#action drop
Rack24SW2(config-access-map)#exit

 

The logic is reversed here. We forward only certain traffic and drop the rest. We also
need to modify ACL 100.

 

Rack24SW2(config)#access-list 100 deny icmp 205.90.31.0 0.0.0.255 any echo
Rack24SW2(config)#access-list 100 permit ip any any

 

ICMP from 205.90.31.0 will be denied and all IP allowed, should work like a charm right?
And it might, for a while… There’s a pitfall in this configuration, we have allowed
all IP but there is one other quite important protocol used in Ethernet segments. We
use it when we know the IP address of a host but need to find out the MAC address. Yes,
it is ARP. With this ACL all ARP will be dropped. Some traffic might go through due to
that we have entries in the cache but as soon as they time out there will be a problem.
If we need to allow ARP we can do that by creating a MAC access-list.

 

Rack24SW2(config)#mac access-list extended PERMIT_ARP
Rack24SW2(config-ext-macl)#permit any any 0x806 0x0

 

So now you know how to filter traffic within a VLAN. There is almost always more than
one solution but we need to be careful when thinking through alternate solutions.