From: McCoy, Jeffery (jmccoy@xxxxxxxxxxxxxxxxx)
Date: Sat Apr 14 2001 - 10:13:34 GMT-3
with policy routing it is
ip local policy route-map xxxxx
perhaps it is something similar.
-jeff
-----Original Message-----
From: Rob Hopkins
To: ccielab@groupstudy.com
Sent: 4/14/2001 6:18 AM
Subject: Re: deny traceroute packet!!!!!! (unresolved)
I believe this issue is still unresolved, I remember
something about access-lists dont affect traffic
genereated by the router, but can remember how to
restrict that traffic..
from Caslow, p.685
"..Access-lists do no effect th router that the
access-list resides. .... To prevent access from the
router an access-class statement must be used."
Does anyone recall how to block outbound traffic
generated by the router itself?
How about:
access 100 deny icmp any any
J
>>> Ilya Mazhara <willy@aspect.vyatka.ru> 03/19/01
09:12AM >>>
Well look at this:
Router2#sh access-li 103
Extended IP access list 103
deny ip any any (2 matches)
Cut from sh run:
!
line con 0
access-class 103 out
And ping work..
Router2#ping 170.10.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 170.10.5.1, timeout
is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 4/4/4
...but telnet dont:
Router2#telnet 170.10.5.1
Trying 170.10.5.1 ...
% Connections to that host not permitted from this
terminal
Router2#sh access-li 103
Extended IP access list 103
deny ip any any (3 matches)
Tracy Blackmore wrote:
>
> They will work on locally generated packets if you
apply the ACL to the con
> 0 line (if your session is on the console that is.)
>
> -----Original Message-----
> From: Ilya Mazhara [mailto:willy@aspect.vyatka.ru]
> Sent: Monday, March 19, 2001 3:16 AM
> To: xuefengleng
> Cc: Chun-Yu Chen; ccielab@groupstudy.com
> Subject: Re: deny traceroute packet!!!!!!
>
> ACL dont acts on local generated packets if you try
to do it.
>
> xuefengleng wrote:
> >
> > hi, Chun-Yu Chen
> >
> > interface Serial1
> > ip address 150.4.102.2 255.255.255.0
> > ip access-group 104 out
> > no ip directed-broadcast
> > no ip route-cache
> >
> > access-list 104 deny udp any any gt 30000
> > access-list 104 permit ip any any
> >
> > It don't work, I promise! would you try again? or
what I'm missing?
> >
> > snow
> >
> > TZ 01-3-19 15:37:00 DzP 5@#:
> > >Hello,
> > >
> > >You can try as following
> > >acl 100 deny udp any any gt 30000
> > >acl 100 permit ip any any
> > >
> > >ip access 101 out.
> > >
> > >I have use this command.
> > >It's workable.
> > >
> > >Regards
> > >Jerry
> > >
> > >
> > >----- Original Message -----
> > >From: "xuefengleng" <xuefengleng@163.com>
> > >To: <ccielab@groupstudy.com>
> > >Sent: Monday, March 19, 2001 3:00 PM
> > >Subject: deny traceroute packet!!!!!!
> > >
> > >
> > >> ccielab gurus!
> > >>
> > >> I cannot deny traceroute output packet why?
> > >>
> > >> config:
> > >>
> > >> int s1
> > >> ip acce 101 out
> > >> acce 101 deny udp any any gt 33433
> > >> acce 101 permit ip any any
> > >>
> > >> when I debug the ip packet, I found the udp
sent out the s1 port,
> have
> > >you any experience about it ?
> > >>
> > >> well, I can deny the input traceroute packet
anywhere.
> > >>
> > >> snow
> > >>
> > >>
> > >> VB
> > >> @q#!
> > >>
> > >> xuefengleng
> > >> xuefengleng@163.com
> > >>
> > >> **NOTE** All LAB SWAP messages should now be
sent to the
> > >> LAB SWAP Message board on groupstudy.com.
> > >>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:45 GMT-3