RE: IP access-list

From: Richard Dumoulin (richard.dumoulin@vanco.es)
Date: Thu Jul 15 2004 - 09:52:59 GMT-3

• Next message: Scott Savage: "Re: QoS: Setting CoS on dot1Q Trunk to IP-Phone"
• Previous message: Lupi, Guy: "RE: nat static + no_alias ?"
• Maybe in reply to: thunai: "IP access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Why would you stop locally generated traffic ? If say you have RIP, you can
stop it with the "passive-interface" command. What I mean is you have
absolute control of your router ...

--Richard

-----Original Message-----
From: Rohan Grover [mailto:rohang@cisco.com]
Sent: jueves, 15 de julio de 2004 13:24
To: 'Richard Gallagher'; 'thunai'
Cc: ccielab@groupstudy.com
Subject: RE: IP access-list

Hi,

Is local PBR the only way to stop locally generated traffic?

Are there any other ways of doing this?

Thanks
Rohan

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Richard Gallagher
Sent: Thursday, July 15, 2004 4:34 PM
To: thunai
Cc: ccielab@groupstudy.com
Subject: Re: IP access-list

Outbounds access-list in not applied to locally generated traffic, it will
work for traffic transiting the router though.

If you want to stop locally generated traffic then look into doing local
PBR.

Rich

On Thu, 2004-07-15 at 12:40, thunai wrote:
> Dear all ,
> I am working on the following config , I am trying to block
> all the packets going thru an interface. I configured an ACL and
> applied it to the interface on the OUT direction. Its not doing any
> filtering I am able to ping the neighbor interface, However when I
> apply it to the in direction it filters and I have acl log matches.
>
> Can you please check , I am missing something
>
>
> r1#ru inter as 9
> Building configuration...
>
> Current configuration:
> !
> interface Async9
> ip address 150.100.13.1 255.255.255.0
> ip access-group 105 out
> no ip directed-broadcast
> encapsulation ppp
> no ip route-cache
> no ip mroute-cache
> async default routing
> async mode dedicated
> no peer neighbor-route
> end
>
> r1#acl
> Extended IP access list 105
> deny ip any any log
> deny icmp any any log
> r1#ping 150.100.13.3
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.100.13.3, timeout is 2 seconds:
> !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =
> 244/245/248 ms r1#
> r1#acl
> Extended IP access list 105
> deny ip any any log
> deny icmp any any log
> r1#
>
>
> Regds
> Thunai
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
> from: http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Savage: "Re: QoS: Setting CoS on dot1Q Trunk to IP-Phone"
• Previous message: Lupi, Guy: "RE: nat static + no_alias ?"
• Maybe in reply to: thunai: "IP access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:56 GMT-3