[c-nsp] Prevent traffic originated from the router usingaccess-list

Jeff Tantsura jeff.tantsura at sscplus.nl
Wed Jun 27 08:15:48 EDT 2007


Hi,

It's not going to work, you'd only match on transit traffic, in order to
match on locally generated traffic you should use local PBR ie:
ip local policy route-map BLAH

Jeff

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Ozgur Guler
> Sent: woensdag 27 juni 2007 13:55
> To: Vikas Sharma
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Prevent traffic originated from the router
> usingaccess-list
> 
> You can drop the relevant traffic with a simple policy-map by applying it
> to
> an outgoing interface ...
> 
> R2#sh policy-map
>   Policy Map X
>     Class x
>       drop
>     Class class-default
> 
> 
> On 6/27/07, Vikas Sharma <vikassharmas at gmail.com> wrote:
> >
> > Hi,
> >
> > How can I stop traffic originated from local router e.g. from loopback
> > interface of router to go any where?
> >
> > I tried with ACL but it permits the traffic as access-list only stop
> > traffic
> > passing through the router not originated from the router.
> >
> > =========
> > access-list 101 deny ip host 192.168.5.254 any
> > access-list 101 permit any any
> >
> > ip access-group 101 out
> > =========
> >
> > Using below conf i am able to achieve the objective. In that I have
> > changed
> > the sourse and destination. Thats correct.
> >
> > But I wanted to know can I achieve the same result using sourse as
> > loopback?
> >
> > working conf -
> > ===========
> > access-list 102 deny ip any host 192.168.5.254
> > access-list 102 permit ip any any
> >
> > ip access-group 102 in
> > ==============
> >
> >
> >
> > THanks
> > Vikas Sharma
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list