[nsp] community-based ip filtering
Alexandre Snarskii
snar at paranoia.ru
Thu Feb 27 10:56:42 EST 2003
On Wed, Feb 26, 2003 at 08:46:41AM +0100, Niklas at hoglund.pp.se wrote:
> Hi,
>
> does cisco do community-based ip filtering?
> e.g.
> int fddi0
> ip access-group community-list 10 in
> !
> ip community-list 10 permit AA:BB
> ip community-list 10 permit CC:DD
> !
>
> Can I do it? =)
What should you filter with these sentences ? ip packets with
communities set ? :)))
Short answer is: no, you can't filter ip packets based on community,
because of fact that ip packets does not contains information about
communities.
Longer is: yes, in some situations you can.
Just filter bgp announces from some router on this interface,
route-map COMM-IN
match community 1
router bgp XXXX
nei Y.Y.Y.Y route-map COMM-IN in
then add
in fddi 0
ip verify unicast reverse-path
into your configuration, and only packets sourced form networks
pointing to that interface backward will be accepted.
Be wery careful using this!
Assuming your upstream announcing a.b.c.0/19 with community AA:BB
via fddi0, but you have some route to a.b.c.0/20 known via other
interface. If the packet from a.b.c.0/20 comes to you via fddi0
it will be dropped.
More information about the cisco-nsp
mailing list