RE: Policy routing question

From: Mustafa Bayramov (ICT/IT) (mustafa@azercell.com)
Date: Wed Sep 03 2003 - 19:40:36 GMT-3

• Next message: Nir Wittenberg: "test"
• Previous message: boby2kusa@hotmail.com: "Re: Re: EIGRP K-value mismatch"
• Maybe in reply to: balaji.balakrishnan: "Policy routing question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You can block traffic by MQC new feature
( 12.2T Uncondtional Packet Discard )

( note undocumented on docCD - you can attach service-police that blocked
traffic only for as output service-police ).

class-map class1
        match access-group 101
!
policy-map policy1
        class c1
                drop
!
interface s2/0
        service-policy output policy1

Mustafa M Bayramov

CISSP
CCNP,CCDP,Cisco Security Specialist
Network engineer and security analyst
 
 
"I know nothing except the fact of my ignorance." Socrates

Regards

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
balaji.balakrishnan
Sent: Monday, September 01, 2003 10:39 PM
To: ccielab@groupstudy.com
Subject: Policy routing question

Hi all,

Task is to Deny/ permit packets based on the source ip address. You are
allowed to change only the access-list entries.

* Task 1 : Should able to block few more IPs and allow all other IPs
* Task 2 : Allow all the IPs

The basic config would be using policy routing on the inbound
interface..like.

interface eth 0/0
ip policy route-map BLOCK
!
route-map BLOCK permit 10
match ip address BLOCK_IP
set interface Null0
!
ip access-list standard BLOCK_IP
 permit 192.168.1.1
!
In this case, 192.168.1.1 will be policy routed and drooped. All other IPs
would follow normal routing.

Task 1 is easy to implement as we can keep on adding access-list entries..
I am not sure How to do Task 2. If you remove all the entires in access-list
enties, it will be empty and then by default all
permitted. Thus all would be policy routed and would be blocked.

Also, I though if we define like,

route-map BLOCK deny 10
match ip address BLOCK_IP
set interface Null0
!
ip access-list standard BLOCK_IP
deny 192.168.1.1

I thought, packets with route-map deny and access-list deny would be
policy routed and all other normally routed so that if you
keep access-list empty, then all the packets would be normally routed as per
task 2. But this did not work. When I configured like
this , irrespective of access-list entries , I see all the packets are
normally routed.

Can anyone tell me one good solution for this ?? can this be done using
different method other than policy routing ??

-Bala.

[GroupStudy removed an attachment of type application/x-pkcs7-signature
which had a name of smime.p7s]

• Next message: Nir Wittenberg: "test"
• Previous message: boby2kusa@hotmail.com: "Re: Re: EIGRP K-value mismatch"
• Maybe in reply to: balaji.balakrishnan: "Policy routing question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:22 GMT-3