Re: acl basics from Vladimir Osipenko on 2011-07-06 (Ccielab archives 07/2011)

From: Vladimir Osipenko <tiffolk_at_gmail.com>
Date: Wed, 6 Jul 2011 20:51:48 +0400

Here is the Doc with nice pictures

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html

On 6 July 2011 20:48, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:
> To complement what Brian said, with new IOS, you can assign an output policy
> map to the control plane.
> This seems to do the trick if you want to filter eigrp:
>
> ip access-list extended eigrp
> permit eigrp any any
>
> class-map match-all eigrp
> match access-group name eigrp
>
> policy-map nulldev_eigrp
> class eigrp
> drop
> class class-default
>
> control-plane
> service-policy output nulldev_eigrp
>
> -Carlos
>
> Vladimir Osipenko @ 6/7/2011 9:22 -0300 dixit:
>>
>> Nope,
>> Brian was right, I believe. You can't control local traffic with ip
>> policy map anymore.
>>
>> On 6 July 2011 15:49, Ametewee, Selassie K. (Lockheed Martin IS&GS)
>> <Selassie.Ametewee_at_va.gov> wrote:
>>>
>>> After the deny route-map do you have another empty route-map statement
>>> (sequence 20) to permit anything that doesn't match the deny?
>>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>> Vladimir Osipenko
>>> Sent: Wednesday, July 06, 2011 2:44 AM
>>> To: Aaron Riemer
>>> Cc: Brian McGahan; Cisco certification
>>> Subject: Re: acl basics
>>>
>>> But when you use PERMIT in route-map, counters increase:
>>>
>>> R1#sh ip local policy
>>> Local policy routing is enabled, using route map BLOCK_EIGRP
>>> route-map BLOCK_EIGRP, permit, sequence 10
>>> Match clauses:
>>> ip address (access-lists): 105
>>> Set clauses:
>>> Policy routing matches: 4 packets, 254 bytes
>>>
>>>
>>> But DENY:
>>>
>>> R1#sh ip local policy
>>> Local policy routing is enabled, using route map BLOCK_EIGRP
>>> route-map BLOCK_EIGRP, deny, sequence 10
>>> Match clauses:
>>> ip address (access-lists): 105
>>> Set clauses:
>>> Policy routing matches: 0 packets, 0 bytes
>>>
>>> Hmmm, interesting.
>>>
>>>
>>> On 6 July 2011 10:35, Vladimir Osipenko <tiffolk_at_gmail.com> wrote:
>>>>
>>>> Even I created local policy with math any route-map deny, it didn't
>>>> block any eigrp traffic. No counters increased.
>>>> Blocking EIGRP traffic on incoming interface on the other router
>>>> works, but leads to eigrp status flapping.
>>>>
>>>> R1#sh ip local policy
>>>> Local policy routing is enabled, using route map BLOCK_EIGRP
>>>> route-map BLOCK_EIGRP, deny, sequence 10
>>>> Match clauses:
>>>> Set clauses:
>>>> Policy routing matches: 0 packets, 0 bytes
>>>>
>>>>
>>>> On 6 July 2011 10:14, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>>>
>>>>> Didn't save the config but essentially it looked like this.
>>>>>
>>>>> access-list 101 permit eigrp any any
>>>>> !
>>>>> route-map eigrp-block
>>>>> match ip address 101
>>>>> set interface null0
>>>>> !
>>>>> ip local policy route-map eigrp-block
>>>>> !
>>>>>
>>>>> Let me know what you find. Maybe I can't use set interface null0 for
>>>
>>> local
>>>>>
>>>>> policy route map?
>>>>>
>>>>> Cheers,
>>>>>
>>>>> -Aaron.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Vladimir Osipenko [mailto:tiffolk_at_gmail.com]
>>>>> Sent: Wednesday, 6 July 2011 1:29 PM
>>>>> To: Aaron Riemer
>>>>> Cc: Brian McGahan; Cisco certification
>>>>> Subject: Re: acl basics
>>>>>
>>>>> Aaron, are you sure? Show us your config, please.
>>>>>
>>>>> I googled and found http://betep.wpl.ru/2011/04/do-you-know-what.html
>>>>>
>>>>> I will check myself later.
>>>>>
>>>>> On 6 July 2011 04:13, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>>>>
>>>>>> Just tested this now. Local policy routing does not have any impact
>>>
>>> on any
>>>>>>
>>>>>> locally generated EIGRP packets.
>>>>>>
>>>>>> Thanks Brian.
>>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> -Aaron.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Brian McGahan [mailto:bmcgahan_at_ine.com]
>>>>>> Sent: Tuesday, 5 July 2011 11:47 PM
>>>>>> To: Vladimir Osipenko
>>>>>> Cc: Aaron Riemer; Cisco certification
>>>>>> Subject: Re: acl basics
>>>>>>
>>>>>> Try it and let us know your results.
>>>>>>
>>>>>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>>>>>> bmcgahan_at_INE.com
>>>>>>
>>>>>> Internetwork Expert, Inc.
>>>>>> http://www.INE.com
>>>>>>
>>>>>> On Jul 5, 2011, at 1:47 AM, "Vladimir Osipenko" <tiffolk_at_gmail.com>
>>>
>>> wrote:
>>>>>>>
>>>>>>> Won't "ip local policy" block router traffic?
>>>>>>>
>>>>>>> On 5 July 2011 09:34, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>>>>>>
>>>>>>>> Interesting. Thanks guys much appreciated!
>>>>>>>>
>>>>>>>> -Aaron.
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>>>
>>> Behalf Of
>>>>>>>>
>>>>>>>> Brian McGahan
>>>>>>>> Sent: Tuesday, 5 July 2011 12:41 PM
>>>>>>>> To: Aaron Riemer
>>>>>>>> Cc: Cisco certification
>>>>>>>> Subject: Re: acl basics
>>>>>>>>
>>>>>>>> Locally generated packets are not subject to ACLs applied outbound
>>>
>>> on an
>>>>>>>>
>>>>>>>> interface. It has to do with the order of operations of the
>>>
>>> classifier
>>>>>
>>>>> on
>>>>>>>>
>>>>>>>> the interface. You'd see the same result if you said "deny ip any
>>>
>>> any"
>>>>>
>>>>> in
>>>>>>>>
>>>>>>>> your list.
>>>>>>>>
>>>>>>>> Local policy routing won't work unless it's a much older IOS
>>>
>>> version, as
>>>>>>>>
>>>>>>>> local control plane traffic is not subject to local policy routing
>>>>>>
>>>>>> anymore.
>>>>>>>>
>>>>>>>> The workaround is simply that you have to apply the ACL in on the
>>>
>>> other
>>>>>>>>
>>>>>>>> side.
>>>>>>>>
>>>>>>>> HTH,
>>>>>>>>
>>>>>>>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>>>>>>>> bmcgahan_at_INE.com
>>>>>>>>
>>>>>>>> Internetwork Expert, Inc.
>>>>>>>> http://www.INE.com
>>>>>>>>
>>>>>>>> On Jul 4, 2011, at 10:52 PM, "Aaron Riemer" <ariemer_at_amnet.net.au>
>>>>>
>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hey guys,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I am playing with EIGRP and wanted to mess with some ACLs to
>>>
>>> verify my
>>>>>>>>>
>>>>>>>>> understanding of the query and reply process.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have an ACL below on one router where I am hoping to allow
>>>
>>> eigrp
>>>>>>>>
>>>>>>>> multicast
>>>>>>>>>
>>>>>>>>> packets but deny any unicast.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ip access-list extended block-eigrp
>>>>>>>>>
>>>>>>>>> permit eigrp any host 224.0.0.10
>>>>>>>>>
>>>>>>>>> deny eigrp any any
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> interface serial0/0
>>>>>>>>>
>>>>>>>>> ip access-group block-eigrp out
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This doesn't seem to block router EIGRP unicast packets at all. I
>>>
>>> have
>>>>>>
>>>>>> got
>>>>>>>>>
>>>>>>>>> around this by blocking at the other end in the 'in' direction
>>>
>>> but I am
>>>>>>>>
>>>>>>>> just
>>>>>>>>>
>>>>>>>>> curious as to why this isn't working.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> My thoughts are it has something to do with the fact that the
>>>
>>> traffic
>>>>>
>>>>> is
>>>>>>>>>
>>>>>>>>> originated from the router itself and as such is not subject to
>>>
>>> the
>>>>>>
>>>>>> rules
>>>>>>>>
>>>>>>>> of
>>>>>>>>>
>>>>>>>>> the ACL. No matches on the ACL seems to confirm this.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Local policy routing?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -Aaron.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>>
>>>>>>>>>
>>> _______________________________________________________________________
>>>>>>>>>
>>>>>>>>> Subscription information may be found at:
>>>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>>>
>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>
>>>>>>>>
>>> _______________________________________________________________________
>>>>>>>>
>>>>>>>> Subscription information may be found at:
>>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>>>
>>>>>>>>
>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>
>>>>>>>>
>>> _______________________________________________________________________
>>>>>>>>
>>>>>>>> Subscription information may be found at:
>>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 06 2011 - 20:51:48 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:05 ART