Are you connected to the routers console? If so then you need to apply the
access class to line con.
David
-- http://dcp.dcptech.com -----Original Message----- From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Peter Dervan Sent: Sunday, August 19, 2012 9:02 AM To: ccielab_at_groupstudy.com Subject: Telnet access outbound on VTY ports not sidestepped by local PBR? Hi guys, Very small question regarding applying local PBR to a router. I have seen (& tested) that if you want to test, for example, reflexive ACL's on a router, using traffic generated by the router..... one way to get this working is to setup a PBR matching all traffic, & send to a loopback interface. I think we have all seen this "trick" before for various testing of security services etc (i think same applied to ip inpsect etc?). My question is relating this trick/tactic to restricting telnet traffic outbond under the VTY lines using "access-class 23 out" for example. I know this command only usually applies to telnet traffic that is initiated from a user who is telnetted into the router. I tried getting around this by using the PBR "trick" mentioned already, and it did not work. My telnet traffic was not affected by the ACL in place. Can anyone explain why this didnt work? I'm sure its probably very simple, but i was expecting the access-class command to take affect once i enabled a local PBR and bounced traffic to a loopback first. any words of wisdom much appreciated as usual... Pete (Ireland) Blogs and organic groups at http://www.ccie.netReceived on Sun Aug 19 2012 - 09:10:46 ART
This archive was generated by hypermail 2.2.0 : Sat Sep 01 2012 - 08:41:18 ART