Re: [nsp] Access List question

From: Danny McPherson (danny@qwest.net)
Date: Wed Dec 01 1999 - 14:30:10 EST


> Hi all
>
> We have 2 ip blocks, 192.168.0.0/24 and 192.168.1.0/26.
> The first block, the /24, is all utilised in Cape Town, where our
> servers are.
> The second block, the /26, is in our Johannesburg office and is used for
> dialups there.
>
> I have an access list 111 applied to my one serial interface on my 3640
> router down in Cape Town, as follows:
> access-list 111 deny ip 192.168.0.0 0.0.0.255 any log
> access-list 111 deny ip 192.168.1.0 0.0.0.63 any log
>
> The /26 is routed down to us via our upstream's backbone.
>
> Question: Is the second line of the above access list going to work?
> Wouldn't our router see this as an attempt to spoof, and deny the
> packets?

Assuming the access-list is applied on the ingress interface above and your
definition of "routed to us" means that packets sourced from the /26 and
destined for the /24 enter Cape Town via the service provider, then the
access-list would indeed result in the packets being discarded, yes.

-danny



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:08 EDT