Re: acl basics from Vladimir Osipenko on 2011-07-05 (Ccielab archives 07/2011)

From: Vladimir Osipenko <tiffolk_at_gmail.com>
Date: Tue, 5 Jul 2011 10:47:43 +0400

Won't "ip local policy" block router traffic?

On 5 July 2011 09:34, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
> Interesting. Thanks guys much appreciated!
>
> -Aaron.
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Brian McGahan
> Sent: Tuesday, 5 July 2011 12:41 PM
> To: Aaron Riemer
> Cc: Cisco certification
> Subject: Re: acl basics
>
> Locally generated packets are not subject to ACLs applied outbound on an
> interface. It has to do with the order of operations of the classifier on
> the interface. You'd see the same result if you said "deny ip any any" in
> your list.
>
> Local policy routing won't work unless it's a much older IOS version, as
> local control plane traffic is not subject to local policy routing anymore.
>
> The workaround is simply that you have to apply the ACL in on the other
> side.
>
> HTH,
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
> On Jul 4, 2011, at 10:52 PM, "Aaron Riemer" <ariemer_at_amnet.net.au> wrote:
>
>> Hey guys,
>>
>>
>>
>> I am playing with EIGRP and wanted to mess with some ACLs to verify my
>> understanding of the query and reply process.
>>
>>
>>
>> I have an ACL below on one router where I am hoping to allow eigrp
> multicast
>> packets but deny any unicast.
>>
>>
>>
>> ip access-list extended block-eigrp
>>
>> permit eigrp any host 224.0.0.10
>>
>> deny eigrp any any
>>
>>
>>
>> interface serial0/0
>>
>> ip access-group block-eigrp out
>>
>>
>>
>>
>>
>> This doesn't seem to block router EIGRP unicast packets at all. I have got
>> around this by blocking at the other end in the 'in' direction but I am
> just
>> curious as to why this isn't working.
>>
>>
>>
>> My thoughts are it has something to do with the fact that the traffic is
>> originated from the router itself and as such is not subject to the rules
> of
>> the ACL. No matches on the ACL seems to confirm this.
>>
>>
>>
>> Local policy routing?
>>
>>
>>
>>
>>
>> Thanks,
>>
>>
>>
>> -Aaron.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 05 2011 - 10:47:43 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:05 ART