Re: acl basics from Vladimir Osipenko on 2011-07-06 (Ccielab archives 07/2011)

From: Vladimir Osipenko <tiffolk_at_gmail.com>
Date: Wed, 6 Jul 2011 10:35:37 +0400

Even I created local policy with math any route-map deny, it didn't
block any eigrp traffic. No counters increased.
Blocking EIGRP traffic on incoming interface on the other router
works, but leads to eigrp status flapping.

R1#sh ip local policy
Local policy routing is enabled, using route map BLOCK_EIGRP
route-map BLOCK_EIGRP, deny, sequence 10
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

On 6 July 2011 10:14, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
> Didn't save the config but essentially it looked like this.
>
> access-list 101 permit eigrp any any
> !
> route-map eigrp-block
> match ip address 101
> set interface null0
> !
> ip local policy route-map eigrp-block
> !
>
> Let me know what you find. Maybe I can't use set interface null0 for local
> policy route map?
>
> Cheers,
>
> -Aaron.
>
> -----Original Message-----
> From: Vladimir Osipenko [mailto:tiffolk_at_gmail.com]
> Sent: Wednesday, 6 July 2011 1:29 PM
> To: Aaron Riemer
> Cc: Brian McGahan; Cisco certification
> Subject: Re: acl basics
>
> Aaron, are you sure? Show us your config, please.
>
> I googled and found http://betep.wpl.ru/2011/04/do-you-know-what.html
>
> I will check myself later.
>
> On 6 July 2011 04:13, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>> Just tested this now. Local policy routing does not have any impact on any
>> locally generated EIGRP packets.
>>
>> Thanks Brian.
>>
>>
>> Cheers,
>>
>> -Aaron.
>>
>> -----Original Message-----
>> From: Brian McGahan [mailto:bmcgahan_at_ine.com]
>> Sent: Tuesday, 5 July 2011 11:47 PM
>> To: Vladimir Osipenko
>> Cc: Aaron Riemer; Cisco certification
>> Subject: Re: acl basics
>>
>> Try it and let us know your results.
>>
>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>> bmcgahan_at_INE.com
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com
>>
>> On Jul 5, 2011, at 1:47 AM, "Vladimir Osipenko" <tiffolk_at_gmail.com> wrote:
>>
>>> Won't "ip local policy" block router traffic?
>>>
>>> On 5 July 2011 09:34, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>> Interesting. Thanks guys much appreciated!
>>>>
>>>> -Aaron.
>>>>
>>>> -----Original Message-----
>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>>> Brian McGahan
>>>> Sent: Tuesday, 5 July 2011 12:41 PM
>>>> To: Aaron Riemer
>>>> Cc: Cisco certification
>>>> Subject: Re: acl basics
>>>>
>>>> Locally generated packets are not subject to ACLs applied outbound on an
>>>> interface. It has to do with the order of operations of the classifier
> on
>>>> the interface. You'd see the same result if you said "deny ip any any"
> in
>>>> your list.
>>>>
>>>> Local policy routing won't work unless it's a much older IOS version, as
>>>> local control plane traffic is not subject to local policy routing
>> anymore.
>>>>
>>>> The workaround is simply that you have to apply the ACL in on the other
>>>> side.
>>>>
>>>> HTH,
>>>>
>>>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>>>> bmcgahan_at_INE.com
>>>>
>>>> Internetwork Expert, Inc.
>>>> http://www.INE.com
>>>>
>>>> On Jul 4, 2011, at 10:52 PM, "Aaron Riemer" <ariemer_at_amnet.net.au>
> wrote:
>>>>
>>>>> Hey guys,
>>>>>
>>>>>
>>>>>
>>>>> I am playing with EIGRP and wanted to mess with some ACLs to verify my
>>>>> understanding of the query and reply process.
>>>>>
>>>>>
>>>>>
>>>>> I have an ACL below on one router where I am hoping to allow eigrp
>>>> multicast
>>>>> packets but deny any unicast.
>>>>>
>>>>>
>>>>>
>>>>> ip access-list extended block-eigrp
>>>>>
>>>>> permit eigrp any host 224.0.0.10
>>>>>
>>>>> deny eigrp any any
>>>>>
>>>>>
>>>>>
>>>>> interface serial0/0
>>>>>
>>>>> ip access-group block-eigrp out
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> This doesn't seem to block router EIGRP unicast packets at all. I have
>> got
>>>>> around this by blocking at the other end in the 'in' direction but I am
>>>> just
>>>>> curious as to why this isn't working.
>>>>>
>>>>>
>>>>>
>>>>> My thoughts are it has something to do with the fact that the traffic
> is
>>>>> originated from the router itself and as such is not subject to the
>> rules
>>>> of
>>>>> the ACL. No matches on the ACL seems to confirm this.
>>>>>
>>>>>
>>>>>
>>>>> Local policy routing?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>>
>>>>>
>>>>> -Aaron.
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 06 2011 - 10:35:37 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:05 ART