RE: acl basics

After the deny route-map do you have another empty route-map statement
(sequence 20) to permit anything that doesn't match the deny?

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Vladimir Osipenko
Sent: Wednesday, July 06, 2011 2:44 AM
To: Aaron Riemer
Cc: Brian McGahan; Cisco certification
Subject: Re: acl basics

But when you use PERMIT in route-map, counters increase:

R1#sh ip local policy
Local policy routing is enabled, using route map BLOCK_EIGRP
route-map BLOCK_EIGRP, permit, sequence 10
  Match clauses:
    ip address (access-lists): 105
  Set clauses:
  Policy routing matches: 4 packets, 254 bytes

But DENY:

R1#sh ip local policy
Local policy routing is enabled, using route map BLOCK_EIGRP
route-map BLOCK_EIGRP, deny, sequence 10
  Match clauses:
    ip address (access-lists): 105
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

Hmmm, interesting.

On 6 July 2011 10:35, Vladimir Osipenko <tiffolk_at_gmail.com> wrote:
> Even I created local policy with math any route-map deny, it didn't
> block any eigrp traffic. No counters increased.
> Blocking EIGRP traffic on incoming interface on the other router
> works, but leads to eigrp status flapping.
>
> R1#sh ip local policy
> Local policy routing is enabled, using route map BLOCK_EIGRP
> route-map BLOCK_EIGRP, deny, sequence 10
> Match clauses:
> Set clauses:
> Policy routing matches: 0 packets, 0 bytes
>
>
> On 6 July 2011 10:14, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>> Didn't save the config but essentially it looked like this.
>>
>> access-list 101 permit eigrp any any
>> !
>> route-map eigrp-block
>> match ip address 101
>> set interface null0
>> !
>> ip local policy route-map eigrp-block
>> !
>>
>> Let me know what you find. Maybe I can't use set interface null0 for
local
>> policy route map?
>>
>> Cheers,
>>
>> -Aaron.
>>
>> -----Original Message-----
>> From: Vladimir Osipenko [mailto:tiffolk_at_gmail.com]
>> Sent: Wednesday, 6 July 2011 1:29 PM
>> To: Aaron Riemer
>> Cc: Brian McGahan; Cisco certification
>> Subject: Re: acl basics
>>
>> Aaron, are you sure? Show us your config, please.
>>
>> I googled and found http://betep.wpl.ru/2011/04/do-you-know-what.html
>>
>> I will check myself later.
>>
>> On 6 July 2011 04:13, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>> Just tested this now. Local policy routing does not have any impact
on any
>>> locally generated EIGRP packets.
>>>
>>> Thanks Brian.
>>>
>>>
>>> Cheers,
>>>
>>> -Aaron.
>>>
>>> -----Original Message-----
>>> From: Brian McGahan [mailto:bmcgahan_at_ine.com]
>>> Sent: Tuesday, 5 July 2011 11:47 PM
>>> To: Vladimir Osipenko
>>> Cc: Aaron Riemer; Cisco certification
>>> Subject: Re: acl basics
>>>
>>> Try it and let us know your results.
>>>
>>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>>> bmcgahan_at_INE.com
>>>
>>> Internetwork Expert, Inc.
>>> http://www.INE.com
>>>
>>> On Jul 5, 2011, at 1:47 AM, "Vladimir Osipenko" <tiffolk_at_gmail.com>
wrote:
>>>
>>>> Won't "ip local policy" block router traffic?
>>>>
>>>> On 5 July 2011 09:34, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>>> Interesting. Thanks guys much appreciated!
>>>>>
>>>>> -Aaron.
>>>>>
>>>>> -----Original Message-----
>>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
Behalf Of
>>>>> Brian McGahan
>>>>> Sent: Tuesday, 5 July 2011 12:41 PM
>>>>> To: Aaron Riemer
>>>>> Cc: Cisco certification
>>>>> Subject: Re: acl basics
>>>>>
>>>>> Locally generated packets are not subject to ACLs applied outbound
on an
>>>>> interface. It has to do with the order of operations of the
classifier
>> on
>>>>> the interface. You'd see the same result if you said "deny ip any
any"
>> in
>>>>> your list.
>>>>>
>>>>> Local policy routing won't work unless it's a much older IOS
version, as
>>>>> local control plane traffic is not subject to local policy routing
>>> anymore.
>>>>>
>>>>> The workaround is simply that you have to apply the ACL in on the
other
>>>>> side.
>>>>>
>>>>> HTH,
>>>>>
>>>>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>>>>> bmcgahan_at_INE.com
>>>>>
>>>>> Internetwork Expert, Inc.
>>>>> http://www.INE.com
>>>>>
>>>>> On Jul 4, 2011, at 10:52 PM, "Aaron Riemer" <ariemer_at_amnet.net.au>
>> wrote:
>>>>>
>>>>>> Hey guys,
>>>>>>
>>>>>>
>>>>>>
>>>>>> I am playing with EIGRP and wanted to mess with some ACLs to
verify my
>>>>>> understanding of the query and reply process.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have an ACL below on one router where I am hoping to allow
eigrp
>>>>> multicast
>>>>>> packets but deny any unicast.
>>>>>>
>>>>>>
>>>>>>
>>>>>> ip access-list extended block-eigrp
>>>>>>
>>>>>> permit eigrp any host 224.0.0.10
>>>>>>
>>>>>> deny eigrp any any
>>>>>>
>>>>>>
>>>>>>
>>>>>> interface serial0/0
>>>>>>
>>>>>> ip access-group block-eigrp out
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> This doesn't seem to block router EIGRP unicast packets at all. I
have
>>> got
>>>>>> around this by blocking at the other end in the 'in' direction
but I am
>>>>> just
>>>>>> curious as to why this isn't working.
>>>>>>
>>>>>>
>>>>>>
>>>>>> My thoughts are it has something to do with the fact that the
traffic
>> is
>>>>>> originated from the router itself and as such is not subject to
the
>>> rules
>>>>> of
>>>>>> the ACL. No matches on the ACL seems to confirm this.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Local policy routing?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>>
>>>>>>
>>>>>> -Aaron.
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>>
Received on Wed Jul 06 2011 - 07:49:27 ART