[c-nsp] Prevent traffic originated from the router usingaccess-list
Ozgur Guler
ozgur11 at gmail.com
Wed Jun 27 09:23:09 EDT 2007
You can...
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804559b3.html
On 6/27/07, Jeff Tantsura <jeff.tantsura at sscplus.nl> wrote:
>
> Bollocks, I does not. You can't set "drop" action within policy-map
> framework
>
>
>
> I don't need a lab for this.
>
>
>
> The working config would be:
>
>
>
> ip local policy route-map BLAH
>
> route-map BLAH
>
> match ip address 101
>
> set interface null0
>
>
>
> access-list 101 permit ip host 192.168.5.254 any
> access-list 101 deny any any
>
>
> ------------------------------
>
> *From:* Ozgur Guler [mailto:ozgur11 at gmail.com]
> *Sent:* woensdag 27 juni 2007 14:22
> *To:* jeff.tantsura at sscplus.nl
> *Cc:* Vikas Sharma; cisco-nsp at puck.nether.net
> *Subject:* Re: [c-nsp] Prevent traffic originated from the router
> usingaccess-list
>
>
>
> It works.
> Just try it in the lab ...
>
>
> On 6/27/07, *Jeff Tantsura* < jeff.tantsura at sscplus.nl > wrote:
>
> Hi,
>
> It's not going to work, you'd only match on transit traffic, in order to
> match on locally generated traffic you should use local PBR ie:
> ip local policy route-map BLAH
>
> Jeff
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Ozgur Guler
> > Sent: woensdag 27 juni 2007 13:55
> > To: Vikas Sharma
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] Prevent traffic originated from the router
> > usingaccess-list
> >
> > You can drop the relevant traffic with a simple policy-map by applying
> it
> > to
> > an outgoing interface ...
> >
> > R2#sh policy-map
> > Policy Map X
> > Class x
> > drop
> > Class class-default
> >
> >
> > On 6/27/07, Vikas Sharma < vikassharmas at gmail.com> wrote:
> > >
> > > Hi,
> > >
> > > How can I stop traffic originated from local router e.g. from loopback
> > > interface of router to go any where?
> > >
> > > I tried with ACL but it permits the traffic as access-list only stop
> > > traffic
> > > passing through the router not originated from the router.
> > >
> > > =========
> > > access-list 101 deny ip host 192.168.5.254 any
> > > access-list 101 permit any any
> > >
> > > ip access-group 101 out
> > > =========
> > >
> > > Using below conf i am able to achieve the objective. In that I have
> > > changed
> > > the sourse and destination. Thats correct.
> > >
> > > But I wanted to know can I achieve the same result using sourse as
> > > loopback?
> > >
> > > working conf -
> > > ===========
> > > access-list 102 deny ip any host 192.168.5.254
> > > access-list 102 permit ip any any
> > >
> > > ip access-group 102 in
> > > ==============
> > >
> > >
> > >
> > > THanks
> > > Vikas Sharma
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
More information about the cisco-nsp
mailing list