On ti, jul 05, 2011 at 05:50:27, Aaron Riemer wrote:
> Subject: acl basics
>
> Hey guys,
>
>
>
> I am playing with EIGRP and wanted to mess with some ACLs to verify my
> understanding of the query and reply process.
>
>
>
> I have an ACL below on one router where I am hoping to allow eigrp
> multicast packets but deny any unicast.
>
>
>
> ip access-list extended block-eigrp
>
> permit eigrp any host 224.0.0.10
>
> deny eigrp any any
>
>
>
> interface serial0/0
>
> ip access-group block-eigrp out
>
>
>
>
>
> This doesn't seem to block router EIGRP unicast packets at all. I have
> got around this by blocking at the other end in the 'in' direction but
> I am just curious as to why this isn't working.
>
>
>
> My thoughts are it has something to do with the fact that the traffic
> is originated from the router itself and as such is not subject to the
> rules of the ACL. No matches on the ACL seems to confirm this.
>
>
>
> Local policy routing?
>
>
>
>
>
> Thanks,
>
>
>
> -Aaron.
>
Hi Aaron,
You have made a correct assumption. Locally generated packets are not
subject to the ACL. To disable those you would either have to run policy
routing or some form of Control Plane Policing.
HTH Daniel
Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 05 2011 - 06:40:39 ART
This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:05 ART