[c-nsp] Prevent traffic originated from the router usingaccess-list

Thu Jun 28 01:11:31 EDT 2007

Hi Ozgur,

I have tried what you have suggested in lab and found it is difficult to
block packets originated from local router using policy-map. Bcos it drops
ospf neighborship and still if u give static route, it matched all the
condition in class map that also have permit any any (1st is - 10 deny ip
host 192.168.3.254 any & 2nd is - 20 permit ip any any ). What is does it
drops all the packets.

Thus I feel only way to do this is local PBR.

Thanks
Vikas Sharma

On 6/27/07, Ozgur Guler <ozgur11 at gmail.com> wrote:
>
> You can...
>
> http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804559b3.html
>
>
> On 6/27/07, Jeff Tantsura <jeff.tantsura at sscplus.nl> wrote:
> >
> >  Bollocks, I does not. You can't set "drop" action within policy-map
> > framework
> >
> >
> >
> > I don't need a lab for this.
> >
> >
> >
> > The working config would be:
> >
> >
> >
> > ip local policy route-map BLAH
> >
> > route-map BLAH
> >
> >  match ip address 101
> >
> >  set interface null0
> >
> >
> >
> > access-list 101 permit ip host 192.168.5.254 any
> > access-list 101 deny any any
> >
> >
> >   ------------------------------
> >
> > *From:* Ozgur Guler [mailto:ozgur11 at gmail.com]
> > *Sent:* woensdag 27 juni 2007 14:22
> > *To:* jeff.tantsura at sscplus.nl
> > *Cc:* Vikas Sharma; cisco-nsp at puck.nether.net
> > *Subject:* Re: [c-nsp] Prevent traffic originated from the router
> > usingaccess-list
> >
> >
> >
> > It works.
> > Just try it in the lab ...
> >
> >
> >  On 6/27/07, *Jeff Tantsura* < jeff.tantsura at sscplus.nl > wrote:
> >
> > Hi,
> >
> > It's not going to work, you'd only match on transit traffic, in order to
> >
> > match on locally generated traffic you should use local PBR ie:
> > ip local policy route-map BLAH
> >
> > Jeff
> >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > > bounces at puck.nether.net] On Behalf Of Ozgur Guler
> > > Sent: woensdag 27 juni 2007 13:55
> > > To: Vikas Sharma
> > > Cc: cisco-nsp at puck.nether.net
> > > Subject: Re: [c-nsp] Prevent traffic originated from the router
> > > usingaccess-list
> > >
> > > You can drop the relevant traffic with a simple policy-map by applying
> > it
> > > to
> > > an outgoing interface ...
> > >
> > > R2#sh policy-map
> > >   Policy Map X
> > >     Class x
> > >       drop
> > >     Class class-default
> > >
> > >
> > > On 6/27/07, Vikas Sharma < vikassharmas at gmail.com> wrote:
> > > >
> > > > Hi,
> > > >
> > > > How can I stop traffic originated from local router e.g. from
> > loopback
> > > > interface of router to go any where?
> > > >
> > > > I tried with ACL but it permits the traffic as access-list only stop
> > > > traffic
> > > > passing through the router not originated from the router.
> > > >
> > > > =========
> > > > access-list 101 deny ip host 192.168.5.254 any
> > > > access-list 101 permit any any
> > > >
> > > > ip access-group 101 out
> > > > =========
> > > >
> > > > Using below conf i am able to achieve the objective. In that I have
> > > > changed
> > > > the sourse and destination. Thats correct.
> > > >
> > > > But I wanted to know can I achieve the same result using sourse as
> > > > loopback?
> > > >
> > > > working conf -
> > > > ===========
> > > > access-list 102 deny ip any host 192.168.5.254
> > > > access-list 102 permit ip any any
> > > >
> > > > ip access-group 102 in
> > > > ==============
> > > >
> > > >
> > > >
> > > > THanks
> > > > Vikas Sharma
> > > > _______________________________________________
> > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > >
> > > _______________________________________________
> > > cisco-nsp mailing list   cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
>
>