This topic is to discuss the following lesson:
Hi all, I labbed up transparent bridging. R1 is able to ping R3 etc and everything seems to be working, however, when i apply the access-list to the interface fa 0/1 of R2, it seems like it never gets a hit. Traffic continues to flow, there’s no dropping of traffic. any idea why???
so from what i can tell, when the traffic comes back from R3, R2 only looks at the layer 2 information. Since R2 knows the frame is destined for the mac address it switches the frame at layer2. In other words, the ACL is never checked. So how rene did this lab is a mystery to me…
I’m doing the lab in gns3 using Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(25)
Pinging from R1 to R3 will work whether you have the access list applied to Fa0/1 or not, as the access list will allow traffic from R1 to R3 as well as responding traffic. Try pinging from R3 to R1 to see if the access list is blocking.
Now it is true that the access list is applied to a layer 2 interface, however, access lists that are configured to inspect tcp, udp and icmp as is the case here will also check higher level protocols to determine if a frame can be forwarded or should be dropped.
Let us know of your results and if need be, we can help you further…
I hope this has been helpful!
According wording “This means that R1 and R3 will be in the same layer 2 domain.” , it mean if Braodcast strom happen from R1 then it effect with R3 right ?
If Yes, How we limited Broadcast storm ?.
We can configuration STORM CONTROLL BROADCAST LEVEL AS CISCO SWITCH ?
Yes that is correct. In the specific topology, R2 would essentially function as a switch so any broadcasts sent on Fa0/0 of R1 would reach the Fa0/0 interface of R3.
Now as for your question about limiting broadcast storms, for a topology similar to that in the lesson, a broadcast storm would not be a possibility. This is because there are only two hosts in the link, R1 and R3. A broadcast storm is a concern only when there are tens or even hundreds of devices within the same broadcast domain. Typically when you configure a router to function as a layer two bridge, you wouldn’t connect it to a LAN with many devices, but it would most likely be a point to point connection, so no storm control configurations need be implemented.
I hope this has been helpful!
I lab it up & I too notice access list R3-TO-R1 is not hit. CBAC also shows no traffic.
interface FastEthernet0/0 no ip address ip inspect CBAC in interface FastEthernet0/1 no ip address ip access-group R3-TO-R1 in ip access-list extended R3-TO-R1 deny ip any any ip inspect name CBAC tcp ip inspect name CBAC udp ip inspect name CBAC icmp R3#ping 192.168.13.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds: !!!!! R2#show access-list R3-TO-R1 Extended IP access list R3-TO-R1 10 deny ip any any R2#show ip inspect sessions R2#
I just labbed this up again, just in case I’m not losing my mind
On Cisco VIRL, it’s also not working for me. I can ping between R3 and R1 without issues and I don’t get any hits on my access-lists.
On my older 2800 routers running IOS 15.1(4)M10 it’s working though:
R1#show version Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M10, RELEASE SOFTWARE (fc2)
Let’s enable a debug on R2:
R2#debug ip packet IP packet debugging is on
Try a ping from R3:
R3#ping 192.168.13.1 repeat 1000 timeout 0
R2 drops them:
R2#show access-lists R3-TO-R1 Extended IP access list R3-TO-R1 10 deny ip any any (1027 matches)
Ping from R1:
R1#ping 192.168.13.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
This is traffic that R2 inspects:
R2#show ip inspect sessions Established Sessions Session 49BFA068 (192.168.13.1:8)=>(192.168.13.3:0) icmp SIS_OPEN