Re: acl basics

To complement what Brian said, with new IOS, you can assign an output
policy map to the control plane.
This seems to do the trick if you want to filter eigrp:

ip access-list extended eigrp
  permit eigrp any any

class-map match-all eigrp
  match access-group name eigrp

policy-map nulldev_eigrp
  class eigrp
    drop
  class class-default

control-plane
service-policy output nulldev_eigrp

-Carlos

Vladimir Osipenko @ 6/7/2011 9:22 -0300 dixit:
> Nope,
> Brian was right, I believe. You can't control local traffic with ip
> policy map anymore.
>
> On 6 July 2011 15:49, Ametewee, Selassie K. (Lockheed Martin IS&GS)
> <Selassie.Ametewee_at_va.gov> wrote:
>> After the deny route-map do you have another empty route-map statement
>> (sequence 20) to permit anything that doesn't match the deny?
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Vladimir Osipenko
>> Sent: Wednesday, July 06, 2011 2:44 AM
>> To: Aaron Riemer
>> Cc: Brian McGahan; Cisco certification
>> Subject: Re: acl basics
>>
>> But when you use PERMIT in route-map, counters increase:
>>
>> R1#sh ip local policy
>> Local policy routing is enabled, using route map BLOCK_EIGRP
>> route-map BLOCK_EIGRP, permit, sequence 10
>> Match clauses:
>> ip address (access-lists): 105
>> Set clauses:
>> Policy routing matches: 4 packets, 254 bytes
>>
>>
>> But DENY:
>>
>> R1#sh ip local policy
>> Local policy routing is enabled, using route map BLOCK_EIGRP
>> route-map BLOCK_EIGRP, deny, sequence 10
>> Match clauses:
>> ip address (access-lists): 105
>> Set clauses:
>> Policy routing matches: 0 packets, 0 bytes
>>
>> Hmmm, interesting.
>>
>>
>> On 6 July 2011 10:35, Vladimir Osipenko <tiffolk_at_gmail.com> wrote:
>>> Even I created local policy with math any route-map deny, it didn't
>>> block any eigrp traffic. No counters increased.
>>> Blocking EIGRP traffic on incoming interface on the other router
>>> works, but leads to eigrp status flapping.
>>>
>>> R1#sh ip local policy
>>> Local policy routing is enabled, using route map BLOCK_EIGRP
>>> route-map BLOCK_EIGRP, deny, sequence 10
>>> Match clauses:
>>> Set clauses:
>>> Policy routing matches: 0 packets, 0 bytes
>>>
>>>
>>> On 6 July 2011 10:14, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>> Didn't save the config but essentially it looked like this.
>>>>
>>>> access-list 101 permit eigrp any any
>>>> !
>>>> route-map eigrp-block
>>>> match ip address 101
>>>> set interface null0
>>>> !
>>>> ip local policy route-map eigrp-block
>>>> !
>>>>
>>>> Let me know what you find. Maybe I can't use set interface null0 for
>> local
>>>> policy route map?
>>>>
>>>> Cheers,
>>>>
>>>> -Aaron.
>>>>
>>>> -----Original Message-----
>>>> From: Vladimir Osipenko [mailto:tiffolk_at_gmail.com]
>>>> Sent: Wednesday, 6 July 2011 1:29 PM
>>>> To: Aaron Riemer
>>>> Cc: Brian McGahan; Cisco certification
>>>> Subject: Re: acl basics
>>>>
>>>> Aaron, are you sure? Show us your config, please.
>>>>
>>>> I googled and found http://betep.wpl.ru/2011/04/do-you-know-what.html
>>>>
>>>> I will check myself later.
>>>>
>>>> On 6 July 2011 04:13, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>>> Just tested this now. Local policy routing does not have any impact
>> on any
>>>>> locally generated EIGRP packets.
>>>>>
>>>>> Thanks Brian.
>>>>>
>>>>>
>>>>> Cheers,
>>>>>
>>>>> -Aaron.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Brian McGahan [mailto:bmcgahan_at_ine.com]
>>>>> Sent: Tuesday, 5 July 2011 11:47 PM
>>>>> To: Vladimir Osipenko
>>>>> Cc: Aaron Riemer; Cisco certification
>>>>> Subject: Re: acl basics
>>>>>
>>>>> Try it and let us know your results.
>>>>>
>>>>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>>>>> bmcgahan_at_INE.com
>>>>>
>>>>> Internetwork Expert, Inc.
>>>>> http://www.INE.com
>>>>>
>>>>> On Jul 5, 2011, at 1:47 AM, "Vladimir Osipenko" <tiffolk_at_gmail.com>
>> wrote:
>>>>>> Won't "ip local policy" block router traffic?
>>>>>>
>>>>>> On 5 July 2011 09:34, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>>>>> Interesting. Thanks guys much appreciated!
>>>>>>>
>>>>>>> -Aaron.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>> Behalf Of
>>>>>>> Brian McGahan
>>>>>>> Sent: Tuesday, 5 July 2011 12:41 PM
>>>>>>> To: Aaron Riemer
>>>>>>> Cc: Cisco certification
>>>>>>> Subject: Re: acl basics
>>>>>>>
>>>>>>> Locally generated packets are not subject to ACLs applied outbound
>> on an
>>>>>>> interface. It has to do with the order of operations of the
>> classifier
>>>> on
>>>>>>> the interface. You'd see the same result if you said "deny ip any
>> any"
>>>> in
>>>>>>> your list.
>>>>>>>
>>>>>>> Local policy routing won't work unless it's a much older IOS
>> version, as
>>>>>>> local control plane traffic is not subject to local policy routing
>>>>> anymore.
>>>>>>> The workaround is simply that you have to apply the ACL in on the
>> other
>>>>>>> side.
>>>>>>>
>>>>>>> HTH,
>>>>>>>
>>>>>>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>>>>>>> bmcgahan_at_INE.com
>>>>>>>
>>>>>>> Internetwork Expert, Inc.
>>>>>>> http://www.INE.com
>>>>>>>
>>>>>>> On Jul 4, 2011, at 10:52 PM, "Aaron Riemer" <ariemer_at_amnet.net.au>
>>>> wrote:
>>>>>>>> Hey guys,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I am playing with EIGRP and wanted to mess with some ACLs to
>> verify my
>>>>>>>> understanding of the query and reply process.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I have an ACL below on one router where I am hoping to allow
>> eigrp
>>>>>>> multicast
>>>>>>>> packets but deny any unicast.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ip access-list extended block-eigrp
>>>>>>>>
>>>>>>>> permit eigrp any host 224.0.0.10
>>>>>>>>
>>>>>>>> deny eigrp any any
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> interface serial0/0
>>>>>>>>
>>>>>>>> ip access-group block-eigrp out
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> This doesn't seem to block router EIGRP unicast packets at all. I
>> have
>>>>> got
>>>>>>>> around this by blocking at the other end in the 'in' direction
>> but I am
>>>>>>> just
>>>>>>>> curious as to why this isn't working.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> My thoughts are it has something to do with the fact that the
>> traffic
>>>> is
>>>>>>>> originated from the router itself and as such is not subject to
>> the
>>>>> rules
>>>>>>> of
>>>>>>>> the ACL. No matches on the ACL seems to confirm this.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Local policy routing?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -Aaron.
>>>>>>>>
>>>>>>>>
>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>
>>>>>>>>
>> _______________________________________________________________________
>>>>>>>> Subscription information may be found at:
>>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>>
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>>
>> _______________________________________________________________________
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>>
>>>>>>>
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>>
>> _______________________________________________________________________
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net