From: balaji.balakrishnan (balaji.balakrishnan@swift.com)
Date: Mon Sep 01 2003 - 16:38:59 GMT-3
Hi all,
Task is to Deny/ permit packets based on the source ip address. You are allowed to change only the access-list entries.
* Task 1 : Should able to block few more IPs and allow all other IPs
* Task 2 : Allow all the IPs
The basic config would be using policy routing on the inbound interface..like.
interface eth 0/0
ip policy route-map BLOCK
!
route-map BLOCK permit 10
match ip address BLOCK_IP
set interface Null0
!
ip access-list standard BLOCK_IP
permit 192.168.1.1
!
In this case, 192.168.1.1 will be policy routed and drooped. All other IPs would follow normal routing.
Task 1 is easy to implement as we can keep on adding access-list entries..
I am not sure How to do Task 2. If you remove all the entires in access-list enties, it will be empty and then by default all
permitted. Thus all would be policy routed and would be blocked.
Also, I though if we define like,
route-map BLOCK deny 10
match ip address BLOCK_IP
set interface Null0
!
ip access-list standard BLOCK_IP
deny 192.168.1.1
I thought, packets with route-map deny and access-list deny would be policy routed and all other normally routed so that if you
keep access-list empty, then all the packets would be normally routed as per task 2. But this did not work. When I configured like
this , irrespective of access-list entries , I see all the packets are normally routed.
Can anyone tell me one good solution for this ?? can this be done using different method other than policy routing ??
-Bala.
[GroupStudy removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:21 GMT-3