From: max aronica (max_aronica@xxxxxxxxxxx)
Date: Sat Apr 14 2001 - 11:00:55 GMT-3
Access-list cannot be used at all for locally generated traffic. Local
policy can.
Try in this way:
- take your access-list that you normally would apply to an interface.
- rewrite it at the contrary (permit what you want to deny)
- then configure
!
ip local policy route-map ciao
!
route-map ciao permit 10
match ip address <acl nbr>
set interface null 0
!
- What you permit with the acl, is what you route to null 0.
Maybe it's not the shortest way, but I don't know other IOS tricks.
Max
>From: "McCoy, Jeffery" <jmccoy@neteffectcorp.com>
>Reply-To: "McCoy, Jeffery" <jmccoy@neteffectcorp.com>
>To: "'Rob Hopkins '" <rshopkins@earthlink.net>,
>"'ccielab@groupstudy.com '" <ccielab@groupstudy.com>
>Subject: RE: deny traceroute packet!!!!!! (unresolved)
>Date: Sat, 14 Apr 2001 09:13:34 -0400
>
> with policy routing it is
>ip local policy route-map xxxxx
>
>perhaps it is something similar.
>-jeff
>
>-----Original Message-----
>From: Rob Hopkins
>To: ccielab@groupstudy.com
>Sent: 4/14/2001 6:18 AM
>Subject: Re: deny traceroute packet!!!!!! (unresolved)
>
>I believe this issue is still unresolved, I remember
>something about access-lists dont affect traffic
>genereated by the router, but can remember how to
>restrict that traffic..
>
>from Caslow, p.685
>"..Access-lists do no effect th router that the
>access-list resides. .... To prevent access from the
>router an access-class statement must be used."
>
>
>Does anyone recall how to block outbound traffic
>generated by the router itself?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>How about:
>
>access 100 deny icmp any any
>
>J
>
> >>> Ilya Mazhara <willy@aspect.vyatka.ru> 03/19/01
>09:12AM >>>
>Well look at this:
>
>Router2#sh access-li 103
>Extended IP access list 103
> deny ip any any (2 matches)
>Cut from sh run:
>!
>line con 0
> access-class 103 out
>
>And ping work..
>Router2#ping 170.10.5.1
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 170.10.5.1, timeout
>is 2 seconds:
>!!!!!
>Success rate is 100 percent (5/5), round-trip
>min/avg/max = 4/4/4
>
>...but telnet dont:
>Router2#telnet 170.10.5.1
>Trying 170.10.5.1 ...
>% Connections to that host not permitted from this
>terminal
>Router2#sh access-li 103
>Extended IP access list 103
> deny ip any any (3 matches)
>
>Tracy Blackmore wrote:
> >
> > They will work on locally generated packets if you
>apply the ACL to the con
> > 0 line (if your session is on the console that is.)
> >
> > -----Original Message-----
> > From: Ilya Mazhara [mailto:willy@aspect.vyatka.ru]
> > Sent: Monday, March 19, 2001 3:16 AM
> > To: xuefengleng
> > Cc: Chun-Yu Chen; ccielab@groupstudy.com
> > Subject: Re: deny traceroute packet!!!!!!
> >
> > ACL dont acts on local generated packets if you try
>to do it.
> >
> > xuefengleng wrote:
> > >
> > > hi, Chun-Yu Chen
> > >
> > > interface Serial1
> > > ip address 150.4.102.2 255.255.255.0
> > > ip access-group 104 out
> > > no ip directed-broadcast
> > > no ip route-cache
> > >
> > > access-list 104 deny udp any any gt 30000
> > > access-list 104 permit ip any any
> > >
> > > It don't work, I promise! would you try again? or
>what I'm missing?
> > >
> > > snow
> > >
> > > TZ 01-3-19 15:37:00 DzP 5@#:
> > > >Hello,
> > > >
> > > >You can try as following
> > > >acl 100 deny udp any any gt 30000
> > > >acl 100 permit ip any any
> > > >
> > > >ip access 101 out.
> > > >
> > > >I have use this command.
> > > >It's workable.
> > > >
> > > >Regards
> > > >Jerry
> > > >
> > > >
> > > >----- Original Message -----
> > > >From: "xuefengleng" <xuefengleng@163.com>
> > > >To: <ccielab@groupstudy.com>
> > > >Sent: Monday, March 19, 2001 3:00 PM
> > > >Subject: deny traceroute packet!!!!!!
> > > >
> > > >
> > > >> ccielab gurus!
> > > >>
> > > >> I cannot deny traceroute output packet why?
> > > >>
> > > >> config:
> > > >>
> > > >> int s1
> > > >> ip acce 101 out
> > > >> acce 101 deny udp any any gt 33433
> > > >> acce 101 permit ip any any
> > > >>
> > > >> when I debug the ip packet, I found the udp
>sent out the s1 port,
> > have
> > > >you any experience about it ?
> > > >>
> > > >> well, I can deny the input traceroute packet
>anywhere.
> > > >>
> > > >> snow
> > > >>
> > > >>
> > > >> VB
> > > >> @q#!
> > > >>
> > > >> xuefengleng
> > > >> xuefengleng@163.com
> > > >>
> > > >> **NOTE** All LAB SWAP messages should now be
>sent to the
> > > >> LAB SWAP Message board on groupstudy.com.
> > > >>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:45 GMT-3