From: Rob Hopkins (rshopkins@xxxxxxxxxxxxx)
Date: Sat Apr 14 2001 - 10:38:59 GMT-3
It just occured to me you could use a route map,
match to an access list, and route to int null,
it should work, but its a bit cumbersome...
----- Original Message -----
From: "McCoy, Jeffery" <jmccoy@neteffectcorp.com>
To: "'Rob Hopkins '" <rshopkins@earthlink.net>; <ccielab@groupstudy.com>
Sent: Saturday, April 14, 2001 9:13 AM
Subject: RE: deny traceroute packet!!!!!! (unresolved)
> with policy routing it is
> ip local policy route-map xxxxx
>
> perhaps it is something similar.
> -jeff
>
> -----Original Message-----
> From: Rob Hopkins
> To: ccielab@groupstudy.com
> Sent: 4/14/2001 6:18 AM
> Subject: Re: deny traceroute packet!!!!!! (unresolved)
>
> I believe this issue is still unresolved, I remember
> something about access-lists dont affect traffic
> genereated by the router, but can remember how to
> restrict that traffic..
>
> from Caslow, p.685
> "..Access-lists do no effect th router that the
> access-list resides. .... To prevent access from the
> router an access-class statement must be used."
>
>
> Does anyone recall how to block outbound traffic
> generated by the router itself?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> How about:
>
> access 100 deny icmp any any
>
> J
>
> >>> Ilya Mazhara <willy@aspect.vyatka.ru> 03/19/01
> 09:12AM >>>
> Well look at this:
>
> Router2#sh access-li 103
> Extended IP access list 103
> deny ip any any (2 matches)
> Cut from sh run:
> !
> line con 0
> access-class 103 out
>
> And ping work..
> Router2#ping 170.10.5.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 170.10.5.1, timeout
> is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip
> min/avg/max = 4/4/4
>
> ...but telnet dont:
> Router2#telnet 170.10.5.1
> Trying 170.10.5.1 ...
> % Connections to that host not permitted from this
> terminal
> Router2#sh access-li 103
> Extended IP access list 103
> deny ip any any (3 matches)
>
> Tracy Blackmore wrote:
> >
> > They will work on locally generated packets if you
> apply the ACL to the con
> > 0 line (if your session is on the console that is.)
> >
> > -----Original Message-----
> > From: Ilya Mazhara [mailto:willy@aspect.vyatka.ru]
> > Sent: Monday, March 19, 2001 3:16 AM
> > To: xuefengleng
> > Cc: Chun-Yu Chen; ccielab@groupstudy.com
> > Subject: Re: deny traceroute packet!!!!!!
> >
> > ACL dont acts on local generated packets if you try
> to do it.
> >
> > xuefengleng wrote:
> > >
> > > hi, Chun-Yu Chen
> > >
> > > interface Serial1
> > > ip address 150.4.102.2 255.255.255.0
> > > ip access-group 104 out
> > > no ip directed-broadcast
> > > no ip route-cache
> > >
> > > access-list 104 deny udp any any gt 30000
> > > access-list 104 permit ip any any
> > >
> > > It don't work, I promise! would you try again? or
> what I'm missing?
> > >
> > > snow
> > >
> > > TZ 01-3-19 15:37:00 DzP 5@#:
> > > >Hello,
> > > >
> > > >You can try as following
> > > >acl 100 deny udp any any gt 30000
> > > >acl 100 permit ip any any
> > > >
> > > >ip access 101 out.
> > > >
> > > >I have use this command.
> > > >It's workable.
> > > >
> > > >Regards
> > > >Jerry
> > > >
> > > >
> > > >----- Original Message -----
> > > >From: "xuefengleng" <xuefengleng@163.com>
> > > >To: <ccielab@groupstudy.com>
> > > >Sent: Monday, March 19, 2001 3:00 PM
> > > >Subject: deny traceroute packet!!!!!!
> > > >
> > > >
> > > >> ccielab gurus!
> > > >>
> > > >> I cannot deny traceroute output packet why?
> > > >>
> > > >> config:
> > > >>
> > > >> int s1
> > > >> ip acce 101 out
> > > >> acce 101 deny udp any any gt 33433
> > > >> acce 101 permit ip any any
> > > >>
> > > >> when I debug the ip packet, I found the udp
> sent out the s1 port,
> > have
> > > >you any experience about it ?
> > > >>
> > > >> well, I can deny the input traceroute packet
> anywhere.
> > > >>
> > > >> snow
> > > >>
> > > >>
> > > >> VB
> > > >> @q#!
> > > >>
> > > >> xuefengleng
> > > >> xuefengleng@163.com
> > > >>
> > > >> **NOTE** All LAB SWAP messages should now be
> sent to the
> > > >> LAB SWAP Message board on groupstudy.com.
> > > >>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:45 GMT-3