Re: acl basics

Try it and let us know your results.

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com
 
Internetwork Expert, Inc.
http://www.INE.com

On Jul 5, 2011, at 1:47 AM, "Vladimir Osipenko" <tiffolk_at_gmail.com> wrote:

> Won't "ip local policy" block router traffic?
>
> On 5 July 2011 09:34, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>> Interesting. Thanks guys much appreciated!
>>
>> -Aaron.
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Brian McGahan
>> Sent: Tuesday, 5 July 2011 12:41 PM
>> To: Aaron Riemer
>> Cc: Cisco certification
>> Subject: Re: acl basics
>>
>> Locally generated packets are not subject to ACLs applied outbound on an
>> interface. It has to do with the order of operations of the classifier on
>> the interface. You'd see the same result if you said "deny ip any any" in
>> your list.
>>
>> Local policy routing won't work unless it's a much older IOS version, as
>> local control plane traffic is not subject to local policy routing anymore.
>>
>> The workaround is simply that you have to apply the ACL in on the other
>> side.
>>
>> HTH,
>>
>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>> bmcgahan_at_INE.com
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com
>>
>> On Jul 4, 2011, at 10:52 PM, "Aaron Riemer" <ariemer_at_amnet.net.au> wrote:
>>
>>> Hey guys,
>>>
>>>
>>>
>>> I am playing with EIGRP and wanted to mess with some ACLs to verify my
>>> understanding of the query and reply process.
>>>
>>>
>>>
>>> I have an ACL below on one router where I am hoping to allow eigrp
>> multicast
>>> packets but deny any unicast.
>>>
>>>
>>>
>>> ip access-list extended block-eigrp
>>>
>>> permit eigrp any host 224.0.0.10
>>>
>>> deny eigrp any any
>>>
>>>
>>>
>>> interface serial0/0
>>>
>>> ip access-group block-eigrp out
>>>
>>>
>>>
>>>
>>>
>>> This doesn't seem to block router EIGRP unicast packets at all. I have got
>>> around this by blocking at the other end in the 'in' direction but I am
>> just
>>> curious as to why this isn't working.
>>>
>>>
>>>
>>> My thoughts are it has something to do with the fact that the traffic is
>>> originated from the router itself and as such is not subject to the rules
>> of
>>> the ACL. No matches on the ACL seems to confirm this.
>>>
>>>
>>>
>>> Local policy routing?
>>>
>>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> -Aaron.
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 05 2011 - 10:47:23 ART