[c-nsp] Access-list application

Rodney Dunn rodunn at cisco.com
Tue Sep 21 17:36:10 EDT 2004


Never tried it with a loopback.

Is that packet matches for in or out?

You have the ACL configured in both directions
with the same src/dst.


On Tue, Sep 21, 2004 at 10:33:03PM +0300, Volodymyr Yakovenko wrote:
> On Tue, Sep 21, 2004 at 02:02:39PM -0400, Rodney Dunn wrote:
> >On Tue, Sep 21, 2004 at 11:15:39PM +0530, Amol Sapkal wrote:
> >> Quick question: Does an interface access-list apply to traffic
> >> generated from a router? Say a ping, if icmp is blocked, or a telnet
> >> to a site on port 80, if port 80 is blocked.
> >
> >On egress from the router no.
> 
> It does work for Loopbacks:
> 
> interface Loopback1
>  ip address 172.21.255.2 255.255.255.255
>  ip access-group NOME in
>  ip access-group NOME out
>  h323-gateway voip interface
>  h323-gateway voip id dp-gk1 ipaddr 172.21.255.1 1719
>  h323-gateway voip h323-id dp-msc-cis2
>  h323-gateway voip tech-prefix 1#
> ip access-list extended NOME
>  deny   tcp host 172.21.255.2 host 172.21.255.2 eq 1720
>  permit ip any any
> 
> dp-msc-cis2#sh ip access-lists NOME
> Extended IP access list NOME
>     deny tcp host 172.21.255.2 host 172.21.255.2 eq 1720 (36 matches)
>     permit ip any any (36 matches)
> 
> >Why?  Because it's assumed the the router sending a packet
> >out is always a valid one.
> >
> >We considered an option for them to match on the traffic
> >but since the below workaround does the job it never
> >went further.
> >
> >You can force it to do by defining a route-map, match
> >the traffic, configure "ip local policy <route-map".
> >
> >Rodney
> >
> >
> >> 
> >> Detailed: If no, why?
> >> 
> >> 
> >> 
> >> -- 
> >> Warm Regds,
> >> 
> >> Amol Sapkal
> >> 
> >> --------------------------------------------------------------------
> >> An eye for an eye makes the whole world blind 
> >> - Mahatma Gandhi
> >> --------------------------------------------------------------------
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> -- 
> Regards,
> Volodymyr.


More information about the cisco-nsp mailing list