RE: IP access-list

From: Rohan Grover (rohang@cisco.com)
Date: Thu Jul 15 2004 - 08:24:27 GMT-3

• Next message: gladston@br.ibm.com: "Re: RE: Passed in RTP!!!! 13637"
• Previous message: Carlos G Mendioroz: "nat static + no_alias ?"
• Maybe in reply to: thunai: "IP access-list"
• Next in thread: Richard Dumoulin: "RE: IP access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Is local PBR the only way to stop locally generated traffic?

Are there any other ways of doing this?

Thanks
Rohan

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Richard Gallagher
Sent: Thursday, July 15, 2004 4:34 PM
To: thunai
Cc: ccielab@groupstudy.com
Subject: Re: IP access-list

Outbounds access-list in not applied to locally generated traffic, it will work for traffic transiting the router though.

If you want to stop locally generated traffic then look into doing local PBR.

Rich

On Thu, 2004-07-15 at 12:40, thunai wrote:
> Dear all ,
> I am working on the following config , I am trying to block
> all the packets going thru an interface. I configured an ACL and
> applied it to the interface on the OUT direction. Its not doing any
> filtering I am able to ping the neighbor interface, However when I
> apply it to the in direction it filters and I have acl log matches.
>
> Can you please check , I am missing something
>
>
> r1#ru inter as 9
> Building configuration...
>
> Current configuration:
> !
> interface Async9
> ip address 150.100.13.1 255.255.255.0
> ip access-group 105 out
> no ip directed-broadcast
> encapsulation ppp
> no ip route-cache
> no ip mroute-cache
> async default routing
> async mode dedicated
> no peer neighbor-route
> end
>
> r1#acl
> Extended IP access list 105
> deny ip any any log
> deny icmp any any log
> r1#ping 150.100.13.3
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.100.13.3, timeout is 2 seconds:
> !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =
> 244/245/248 ms
> r1#
> r1#acl
> Extended IP access list 105
> deny ip any any log
> deny icmp any any log
> r1#
>
>
> Regds
> Thunai
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: gladston@br.ibm.com: "Re: RE: Passed in RTP!!!! 13637"
• Previous message: Carlos G Mendioroz: "nat static + no_alias ?"
• Maybe in reply to: thunai: "IP access-list"
• Next in thread: Richard Dumoulin: "RE: IP access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:56 GMT-3