Cisco Catalyst 2960-X – Adding ACL Rule for L2TP Packet Filtering

ciscocisco-catalystcisco-commandsipipv4

I am using a Cayalyst 2960-X series Cisco Switch, Whose 2 SFPs are connecting between 2 hosts (A,B).

A,B are connected to the switch's 1,2 ports respectively.
The host communicates using an l2tp based protocol. As you know l2tp is a link layer protocol.

As part of the l2tp traffic sourced at host A whose destination is B, there are few packets I want to deny from getting to port 2 / Host B.

The packets that I want to drop have a source MAC address of 88:77:66:55:44:33 in their Ethernet 2 metadata, which is part of the whole l2tp packet (see the byte layout bellow).

I would like to set a rule or an access list that drops the l2tp packet by inspecting its Ethernet 2 attribute and in case the specific 88:77:66:55:44:33 MAC address appears in the SA.

I am familiar with the mac access-list command but every manual I had seen explicitly says that ACLs filter only non-IP protocols. In spite of that I tried to use mac access-list and indeed it didn't help.

Moreover, I found the Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS
Release 15.0(2)EX, and under the Restrictions for Configuring Network Security with ACLs section it says:

You cannot apply named MAC extended ACLs to Layer 3 interfaces.

Isn't it feasible to filter ip protocols by drill down and inspecting their Ethernet 2 Mac addresses data?

By sniffing the traffic between the 2 hosts, I can tell the packets has the following byte layout (As I see on Wireshark):

 0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |        Ethernet 2 (14 Bytes)     |       IP(20 Bytes)         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | IP  |L2TP 4B|HDLC 4B| Data                                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Best Answer

There seems to be some confusion about this topic for you. Let's begin by clearing up a few details.

I am familiar with the mac access-list command but every manual I had seen explicitly says that ACLs filter only non-IP protocols.

If you think about this a bit, it makes sense. An IP packet doesn't contain a MAC addresses, so this would be difficult. However, IP traffic is encapsulated in a L2 protocol, typically Ethernet which does utilize MAC addresses.

You cannot apply named MAC extended ACLs to Layer 3 interfaces.

Again, this is natural. Since MAC ACLs function on L2, they wouldn't really need/want them on a L3 interface anyway.

However, by default interfaces on a 2960-X are layer 2 interfaces, so you can apply a MAC access-list to them.

So, this series of commands should provide the result you want (using the first SFP port on a WS-C2960X-48FPS-L so adjust as necessary):

! Create the ACL
mac access-list extended TestACL
deny host 8877.6655.4433 any
permit any any

! Now apply to the interface
interface Gi1/0/49
mac access-group TestACL in

Edit based on comments: if you want to rule out the source port being incorrect, you can use the following with the above ACL to block all traffic from that MAC going out the second SFP port:

! Now apply to the interface
interface Gi1/0/50
mac access-group TestACL out

If that doesn't work, then the MAC address has to be incorrect and you need to provide more information.

The ACL will work no matter if the MAC address table is updated dynamically or if you add a static entry. However, if the dynamic entry for this MAC is flapping between different ports, that could explain why the ACL didn't work as intended. Additionally, without additional features configured, the static entry will not have an effect on traffic arriving on a port, only on the destination port used for the traffic.

And finally, the packet being highlighted in red by Wireshark doesn't tell me much. Different versions of Wireshark have used different coloring rules, the default rules typically include a number of matches that get colored red, and many of us use our own custom rules. You would need to provide more detail or the actual capture for us to know what exactly that means.

Related Solutions

Cisco router + cable modem – How to configure routing

I'm making some assumptions on your setup and how exactly your ISP is giving you these IPs, so if any of this is wrong I apologize and will happily change my answer

For your internal network I would suggest you setup a DHCP pool for your workstations and statically assign IPs to your servers. I'll leave the DHCP pool setup for you, as I think you're mainly aiming to make sure both public IPs are utilized by the proper networks.

i.e.
  172.16.1.0/24 for your workstations, with DHCP, assigned to VLAN10
  172.16.2.0/29 for your servers, statically assigned, on VLAN20

That all being said here is what I personally would try and setup to get your gear online.

int g0/0
  ip address dhcp

This will pull an IP from your modem and give it to your external port. I suspect it will be an ISP internal IP because I doubt they'd give your modem a publicly routable IP. That'd be weird.

In this scenario, you should not be manually inputting any default routes on your router as it should all be supplied from the DHCP pull.

int g0/1.10
  ip address 172.16.1.1 255.255.255.0
int g0/1.20
  ip address 172.16.2.1 255.255.255.248

This setups the internal gateways for your two networks. So all your workstations will be pointing to 172.16.1.1 and your servers to 172.16.2.1

After that you'll need to setup NAT rules on the router to handle passing of traffic outwards for your workstations.

int g0/0
  ip nat outside

This setups your external facing interface as your outside nat interface.

int g0/1.10
  ip nat inside

This setups your internal facing interface as an inside nat interface.

Router(config)# ip nat pool internet 128.66.0.2 128.66.0.2 prefix 24

Creates a NAT pool named internet being translated to one of your public IPs.

Router(config)# ip nat inside source list 7 pool name internet overload

This says to NAT all IPs in list 7 to the NAT pool you just created and that you can overload it. Which is to say more than one internal IP can use the same external IP.

Router(config)# access-list 7 172.16.1.0 0.0.0.255

Creates the list referenced in the previous command. Now onto NAT for your servers, which I suggest be statically assigned if you want them publicly available.

int g0/1.20
  ip nat inside

Same as before, this setups your internal interface as an inside NAT interface.

Router(config)# ip nat inside source static 172.16.2.(2-6) 128.66.1.(2-6)

A new line for each static assignment is needed. This creates a static translation between your internal IP and your external IP that was assigned to you.

As for your switch; all you would need to do is properly tag your ports depending on what is plugged in and make sure your trunk is passing both VLANs.

At this point both subnets should hitting your router, and your router should know where to pass the traffic, be it internally (your workstations getting to your servers) or externally (internet). Access control can either be setup with ACLs on the router, a stand-alone firewall, or firewalls on your servers.

Now this all hinges on how your ISP has your modem setup. If it works the way I think it works, when your external interface pulls it's information through DHCP, your router should populate both your public IP ranges so that when your router NATs it knows where to send your traffic.

I suspect someone will give a better written answer, but hopefully this points you in the correct direction.

I also referenced the following link for help on the NAT parts as they are definitely not something I play with very often.

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

Cisco Catalyst – How to Access 2960 Series Switch Port Mirroring Interface

You can connect to the console port of the switch to configure it. Use the provided console cable. This will connect you to the CLI interface, and this is how you will initially configure the switch.

You can then configure an SVI with an IP address in a VLAN on the switch, and configure the default gateway in the same VLAN for the switch to use. You can use this address to manage the switch remotely. To use the CLI, you will also need to configure a password on the the VTY lines. The default would be to use telnet, but you can configure something else, e.g SSH, but that is more complicated, albeit more secure.

You probably want to use the CLI interface, rather than the HTTP server, to manage the switch.

Best Answer

Related Solutions

Cisco router + cable modem – How to configure routing

Cisco Catalyst – How to Access 2960 Series Switch Port Mirroring Interface

Related Topic