[c-nsp] Access-list application

Amol Sapkal amolsapkal at gmail.com
Tue Sep 21 21:42:55 EDT 2004


Yes,

I checked it yesterday for ICMP, traffic generated within the router
does actually pass outbound. So the access-list did not stop the
traffic outbound.
I know about ip local policy, but thought it comes in play only for
taking routing decisions and not access-list application.

Like, if my router's default is interface X, and there is source based
routing for traffic from subnet A.B.C.D to go out via interface Y -
1. with ip local policy enabled, an extended trace on the router (with
a loopback as source, which is in the subnet ABCD), will take
interface Y.
2. with ip local policy disabled, the trace would still take the
default interface X.




On Wed, 22 Sep 2004 02:27:29 +0300, Volodymyr Yakovenko
<vovik at dumpty.org> wrote:
> On Tue, Sep 21, 2004 at 05:36:10PM -0400, Rodney Dunn wrote:
> >Never tried it with a loopback.
> >
> >Is that packet matches for in or out?
> 
> Only inbound ACL actualy matches packets.
> 
> So your statement about outbound ACLs is right.
> 
> >You have the ACL configured in both directions
> >with the same src/dst.
> >
> >On Tue, Sep 21, 2004 at 10:33:03PM +0300, Volodymyr Yakovenko wrote:
> >> On Tue, Sep 21, 2004 at 02:02:39PM -0400, Rodney Dunn wrote:
> >> >On Tue, Sep 21, 2004 at 11:15:39PM +0530, Amol Sapkal wrote:
> >> >> Quick question: Does an interface access-list apply to traffic
> >> >> generated from a router? Say a ping, if icmp is blocked, or a telnet
> >> >> to a site on port 80, if port 80 is blocked.
> >> >
> >> >On egress from the router no.
> >>
> >> It does work for Loopbacks:
> >>
> >> interface Loopback1
> >>  ip address 172.21.255.2 255.255.255.255
> >>  ip access-group NOME in
> >>  ip access-group NOME out
> >>  h323-gateway voip interface
> >>  h323-gateway voip id dp-gk1 ipaddr 172.21.255.1 1719
> >>  h323-gateway voip h323-id dp-msc-cis2
> >>  h323-gateway voip tech-prefix 1#
> >> ip access-list extended NOME
> >>  deny   tcp host 172.21.255.2 host 172.21.255.2 eq 1720
> >>  permit ip any any
> >>
> >> dp-msc-cis2#sh ip access-lists NOME
> >> Extended IP access list NOME
> >>     deny tcp host 172.21.255.2 host 172.21.255.2 eq 1720 (36 matches)
> >>     permit ip any any (36 matches)
> >>
> >> >Why?  Because it's assumed the the router sending a packet
> >> >out is always a valid one.
> >> >
> >> >We considered an option for them to match on the traffic
> >> >but since the below workaround does the job it never
> >> >went further.
> >> >
> >> >You can force it to do by defining a route-map, match
> >> >the traffic, configure "ip local policy <route-map".
> >> >
> >> >Rodney
> >> >
> >> >
> >> >>
> >> >> Detailed: If no, why?
> 
> -- 
> Regards,
> Volodymyr.
> 
> 



-- 
Warm Regds,

Amol Sapkal

--------------------------------------------------------------------
An eye for an eye makes the whole world blind 
- Mahatma Gandhi
--------------------------------------------------------------------


More information about the cisco-nsp mailing list