From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Wed Aug 01 2007 - 18:04:12 ART
Can you ACL filter locally generated traffic ?
Djerk Geurts @ 01/08/2007 15:42 -0300 dixit:
> If I want to block hello's from being sent out an interface on the
> router itself. Can I use an ACL? I've tried it and it doesn't work...
>
> IOS: 3640 /w 12.4(8c) or 12.4(7e) IP+
>
> interface FastEthernet0/0
> description *** C3548 F0/3 - VL3 O#3 ***
> ip address 15.1.3.3 255.255.255.0
> ip access-group NACL-R3-F0/0-OUT out
> ip ospf 1 area 3
>
>
> R3#sh access-list
> Extended IP access list NACL-R3-F0/0-OUT
> 10 deny ip any host 224.0.0.5
> 20 deny ospf any host 224.0.0.5
> 30 deny ospf any any
> 40 permit ip any any
>
> R3#
> *Mar 17 00:01:32.891: OSPF: Send hello to 224.0.0.5 area 3 on
> FastEthernet0/0 from 152.1.3.3
> *Mar 17 00:01:32.891: IP: s=152.1.3.3 (local), d=224.0.0.5
> (FastEthernet0/0), len 76, sending broad/multicast
>
> The debug shows that the router generates and sends hellos, the
> interface counters increate as do the counters on the attached switch.
> So all in all either one can't filter this on the router itself and I
> need to config it on the switch. Or, these IOSes are broken. Or, I'm
> doing something utterly wrong.
>
> I do have another solution that does work which is to set the network
> type to non-broadcast which stops the router from sending hello's but if
> another device were to initiate a neighborship the router would respond
> resulting in hellos being sent.
>
-- Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:09 ART