[c-nsp] Prevent traffic originated from the router usingaccess-list

Jeff Tantsura jeff.tantsura at sscplus.nl
Wed Jun 27 09:14:43 EDT 2007 

Bollocks, I does not. You can't set "drop" action within policy-map
framework 

 

I don't need a lab for this.

 

The working config would be:

 

ip local policy route-map BLAH

route-map BLAH

 match ip address 101

 set interface null0

 

access-list 101 permit ip host 192.168.5.254 any
access-list 101 deny any any

 

  _____  

From: Ozgur Guler [mailto:ozgur11 at gmail.com] 
Sent: woensdag 27 juni 2007 14:22
To: jeff.tantsura at sscplus.nl
Cc: Vikas Sharma; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Prevent traffic originated from the router
usingaccess-list

 

It works. 
Just try it in the lab ...




On 6/27/07, Jeff Tantsura < jeff.tantsura at sscplus.nl
<mailto:jeff.tantsura at sscplus.nl> > wrote:

Hi,

It's not going to work, you'd only match on transit traffic, in order to 
match on locally generated traffic you should use local PBR ie:
ip local policy route-map BLAH

Jeff

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Ozgur Guler
> Sent: woensdag 27 juni 2007 13:55
> To: Vikas Sharma 
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Prevent traffic originated from the router 
> usingaccess-list
>
> You can drop the relevant traffic with a simple policy-map by applying it 
> to
> an outgoing interface ...
>
> R2#sh policy-map
>   Policy Map X
>     Class x
>       drop
>     Class class-default
>
>
> On 6/27/07, Vikas Sharma < vikassharmas at gmail.com> wrote:
> >
> > Hi,
> >
> > How can I stop traffic originated from local router e.g. from loopback
> > interface of router to go any where? 
> >
> > I tried with ACL but it permits the traffic as access-list only stop
> > traffic
> > passing through the router not originated from the router.
> >
> > ========= 
> > access-list 101 deny ip host 192.168.5.254 any
> > access-list 101 permit any any
> > 
> > ip access-group 101 out
> > =========
> > 
> > Using below conf i am able to achieve the objective. In that I have
> > changed
> > the sourse and destination. Thats correct.
> >
> > But I wanted to know can I achieve the same result using sourse as 
> > loopback?
> >
> > working conf -
> > ===========
> > access-list 102 deny ip any host 192.168.5.254
> > access-list 102 permit ip any any 
> >
> > ip access-group 102 in
> > ==============
> >
> >
> >
> > THanks
> > Vikas Sharma
> > _______________________________________________ 
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
<https://puck.nether.net/mailman/listinfo/cisco-nsp> 
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________ 
> cisco-nsp mailing list   cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list