Transparent Cisco IOS Firewall

This topic is to discuss the following lesson:

Hi all, I labbed up transparent bridging. R1 is able to ping R3 etc and everything seems to be working, however, when i apply the access-list to the interface fa 0/1 of R2, it seems like it never gets a hit. Traffic continues to flow, there’s no dropping of traffic. any idea why???

so from what i can tell, when the traffic comes back from R3, R2 only looks at the layer 2 information. Since R2 knows the frame is destined for the mac address it switches the frame at layer2. In other words, the ACL is never checked. So how rene did this lab is a mystery to me…
I’m doing the lab in gns3 using Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(25)

Hello Kam

Pinging from R1 to R3 will work whether you have the access list applied to Fa0/1 or not, as the access list will allow traffic from R1 to R3 as well as responding traffic. Try pinging from R3 to R1 to see if the access list is blocking.

Now it is true that the access list is applied to a layer 2 interface, however, access lists that are configured to inspect tcp, udp and icmp as is the case here will also check higher level protocols to determine if a frame can be forwarded or should be dropped.

Let us know of your results and if need be, we can help you further…

I hope this has been helpful!

Laz

Hi Lagapides

According wording “This means that R1 and R3 will be in the same layer 2 domain.” , it mean if Braodcast strom happen from R1 then it effect with R3 right ?
If Yes, How we limited Broadcast storm ?.
We can configuration STORM CONTROLL BROADCAST LEVEL AS CISCO SWITCH ?

Hello Vittawat

Yes that is correct. In the specific topology, R2 would essentially function as a switch so any broadcasts sent on Fa0/0 of R1 would reach the Fa0/0 interface of R3.

Now as for your question about limiting broadcast storms, for a topology similar to that in the lesson, a broadcast storm would not be a possibility. This is because there are only two hosts in the link, R1 and R3. A broadcast storm is a concern only when there are tens or even hundreds of devices within the same broadcast domain. Typically when you configure a router to function as a layer two bridge, you wouldn’t connect it to a LAN with many devices, but it would most likely be a point to point connection, so no storm control configurations need be implemented.

I hope this has been helpful!

Laz

Hi aujla3,

I lab it up & I too notice access list R3-TO-R1 is not hit. CBAC also shows no traffic.
On R2:

interface FastEthernet0/0
 no ip address
 ip inspect CBAC in

interface FastEthernet0/1
 no ip address
 ip access-group R3-TO-R1 in

ip access-list extended R3-TO-R1
 deny   ip any any

ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp

R3#ping 192.168.13.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
!!!!!

R2#show access-list R3-TO-R1
Extended IP access list R3-TO-R1
    10 deny ip any any

R2#show ip inspect sessions

R2#

I just labbed this up again, just in case I’m not losing my mind :grin:

On Cisco VIRL, it’s also not working for me. I can ping between R3 and R1 without issues and I don’t get any hits on my access-lists.

On my older 2800 routers running IOS 15.1(4)M10 it’s working though:

R1#show version 
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M10, RELEASE SOFTWARE (fc2)

Let’s enable a debug on R2:

R2#debug ip packet
IP packet debugging is on

Try a ping from R3:

R3#ping 192.168.13.1 repeat 1000 timeout 0

R2 drops them:

R2#show access-lists R3-TO-R1
Extended IP access list R3-TO-R1
    10 deny ip any any (1027 matches)

Ping from R1:

R1#ping 192.168.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

This is traffic that R2 inspects:

R2#show ip inspect sessions 
Established Sessions
 Session 49BFA068 (192.168.13.1:8)=>(192.168.13.3:0) icmp SIS_OPEN

Rene