Re: acl basics

I have already :)
-Carlos

Aaron Riemer @ 06/07/2011 20:44 -0300 dixit:
> Nice one Carlos.
>
> When you going for lab?
>
> -----Original Message-----
> From: Carlos G Mendioroz [mailto:tron_at_huapi.ba.ar]
> Sent: Thursday, 7 July 2011 12:49 AM
> To: Vladimir Osipenko
> Cc: Ametewee, Selassie K. (Lockheed Martin IS&GS); Aaron Riemer; Brian
> McGahan; Cisco certification
> Subject: Re: acl basics
>
> To complement what Brian said, with new IOS, you can assign an output
> policy map to the control plane.
> This seems to do the trick if you want to filter eigrp:
>
> ip access-list extended eigrp
> permit eigrp any any
>
> class-map match-all eigrp
> match access-group name eigrp
>
> policy-map nulldev_eigrp
> class eigrp
> drop
> class class-default
>
> control-plane
> service-policy output nulldev_eigrp
>
> -Carlos
>
> Vladimir Osipenko @ 6/7/2011 9:22 -0300 dixit:
>> Nope,
>> Brian was right, I believe. You can't control local traffic with ip
>> policy map anymore.
>>
>> On 6 July 2011 15:49, Ametewee, Selassie K. (Lockheed Martin IS&GS)
>> <Selassie.Ametewee_at_va.gov> wrote:
>>> After the deny route-map do you have another empty route-map statement
>>> (sequence 20) to permit anything that doesn't match the deny?
>>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>> Vladimir Osipenko
>>> Sent: Wednesday, July 06, 2011 2:44 AM
>>> To: Aaron Riemer
>>> Cc: Brian McGahan; Cisco certification
>>> Subject: Re: acl basics
>>>
>>> But when you use PERMIT in route-map, counters increase:
>>>
>>> R1#sh ip local policy
>>> Local policy routing is enabled, using route map BLOCK_EIGRP
>>> route-map BLOCK_EIGRP, permit, sequence 10
>>> Match clauses:
>>> ip address (access-lists): 105
>>> Set clauses:
>>> Policy routing matches: 4 packets, 254 bytes
>>>
>>>
>>> But DENY:
>>>
>>> R1#sh ip local policy
>>> Local policy routing is enabled, using route map BLOCK_EIGRP
>>> route-map BLOCK_EIGRP, deny, sequence 10
>>> Match clauses:
>>> ip address (access-lists): 105
>>> Set clauses:
>>> Policy routing matches: 0 packets, 0 bytes
>>>
>>> Hmmm, interesting.
>>>
>>>
>>> On 6 July 2011 10:35, Vladimir Osipenko <tiffolk_at_gmail.com> wrote:
>>>> Even I created local policy with math any route-map deny, it didn't
>>>> block any eigrp traffic. No counters increased.
>>>> Blocking EIGRP traffic on incoming interface on the other router
>>>> works, but leads to eigrp status flapping.
>>>>
>>>> R1#sh ip local policy
>>>> Local policy routing is enabled, using route map BLOCK_EIGRP
>>>> route-map BLOCK_EIGRP, deny, sequence 10
>>>> Match clauses:
>>>> Set clauses:
>>>> Policy routing matches: 0 packets, 0 bytes
>>>>
>>>>
>>>> On 6 July 2011 10:14, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>>> Didn't save the config but essentially it looked like this.
>>>>>
>>>>> access-list 101 permit eigrp any any
>>>>> !
>>>>> route-map eigrp-block
>>>>> match ip address 101
>>>>> set interface null0
>>>>> !
>>>>> ip local policy route-map eigrp-block
>>>>> !
>>>>>
>>>>> Let me know what you find. Maybe I can't use set interface null0 for
>>> local
>>>>> policy route map?
>>>>>
>>>>> Cheers,
>>>>>
>>>>> -Aaron.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Vladimir Osipenko [mailto:tiffolk_at_gmail.com]
>>>>> Sent: Wednesday, 6 July 2011 1:29 PM
>>>>> To: Aaron Riemer
>>>>> Cc: Brian McGahan; Cisco certification
>>>>> Subject: Re: acl basics
>>>>>
>>>>> Aaron, are you sure? Show us your config, please.
>>>>>
>>>>> I googled and found http://betep.wpl.ru/2011/04/do-you-know-what.html
>>>>>
>>>>> I will check myself later.
>>>>>
>>>>> On 6 July 2011 04:13, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>>>> Just tested this now. Local policy routing does not have any impact
>>> on any
>>>>>> locally generated EIGRP packets.
>>>>>>
>>>>>> Thanks Brian.
>>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> -Aaron.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Brian McGahan [mailto:bmcgahan_at_ine.com]
>>>>>> Sent: Tuesday, 5 July 2011 11:47 PM
>>>>>> To: Vladimir Osipenko
>>>>>> Cc: Aaron Riemer; Cisco certification
>>>>>> Subject: Re: acl basics
>>>>>>
>>>>>> Try it and let us know your results.
>>>>>>
>>>>>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>>>>>> bmcgahan_at_INE.com
>>>>>>
>>>>>> Internetwork Expert, Inc.
>>>>>> http://www.INE.com
>>>>>>
>>>>>> On Jul 5, 2011, at 1:47 AM, "Vladimir Osipenko" <tiffolk_at_gmail.com>
>>> wrote:
>>>>>>> Won't "ip local policy" block router traffic?
>>>>>>>
>>>>>>> On 5 July 2011 09:34, Aaron Riemer <ariemer_at_amnet.net.au> wrote:
>>>>>>>> Interesting. Thanks guys much appreciated!
>>>>>>>>
>>>>>>>> -Aaron.
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>>> Behalf Of
>>>>>>>> Brian McGahan
>>>>>>>> Sent: Tuesday, 5 July 2011 12:41 PM
>>>>>>>> To: Aaron Riemer
>>>>>>>> Cc: Cisco certification
>>>>>>>> Subject: Re: acl basics
>>>>>>>>
>>>>>>>> Locally generated packets are not subject to ACLs applied outbound
>>> on an
>>>>>>>> interface. It has to do with the order of operations of the
>>> classifier
>>>>> on
>>>>>>>> the interface. You'd see the same result if you said "deny ip any
>>> any"
>>>>> in
>>>>>>>> your list.
>>>>>>>>
>>>>>>>> Local policy routing won't work unless it's a much older IOS
>>> version, as
>>>>>>>> local control plane traffic is not subject to local policy routing
>>>>>> anymore.
>>>>>>>> The workaround is simply that you have to apply the ACL in on the
>>> other
>>>>>>>> side.
>>>>>>>>
>>>>>>>> HTH,
>>>>>>>>
>>>>>>>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>>>>>>>> bmcgahan_at_INE.com
>>>>>>>>
>>>>>>>> Internetwork Expert, Inc.
>>>>>>>> http://www.INE.com
>>>>>>>>
>>>>>>>> On Jul 4, 2011, at 10:52 PM, "Aaron Riemer" <ariemer_at_amnet.net.au>
>>>>> wrote:
>>>>>>>>> Hey guys,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I am playing with EIGRP and wanted to mess with some ACLs to
>>> verify my
>>>>>>>>> understanding of the query and reply process.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have an ACL below on one router where I am hoping to allow
>>> eigrp
>>>>>>>> multicast
>>>>>>>>> packets but deny any unicast.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ip access-list extended block-eigrp
>>>>>>>>>
>>>>>>>>> permit eigrp any host 224.0.0.10
>>>>>>>>>
>>>>>>>>> deny eigrp any any
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> interface serial0/0
>>>>>>>>>
>>>>>>>>> ip access-group block-eigrp out
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This doesn't seem to block router EIGRP unicast packets at all. I
>>> have
>>>>>> got
>>>>>>>>> around this by blocking at the other end in the 'in' direction
>>> but I am
>>>>>>>> just
>>>>>>>>> curious as to why this isn't working.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> My thoughts are it has something to do with the fact that the
>>> traffic
>>>>> is
>>>>>>>>> originated from the router itself and as such is not subject to
>>> the
>>>>>> rules
>>>>>>>> of
>>>>>>>>> the ACL. No matches on the ACL seems to confirm this.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Local policy routing?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -Aaron.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>>
>>>>>>>>>
>>> _______________________________________________________________________
>>>>>>>>> Subscription information may be found at:
>>>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>
>>>>>>>>
>>> _______________________________________________________________________
>>>>>>>> Subscription information may be found at:
>>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>>>
>>>>>>>>
>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>
>>>>>>>>
>>> _______________________________________________________________________
>>>>>>>> Subscription information may be found at:
>>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net