[c-nsp] Prevent traffic originated from the routerusingaccess-list

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Fri Jun 29 02:37:10 EDT 2007 

Whats the reason behind this request? Which traffic do you want dropped,
and why? Just curious..

	oli

Vikas Sharma <> wrote on Thursday, June 28, 2007 7:12 AM:

> Hi Ozgur,
> 
> I have tried what you have suggested in lab and found it is difficult
> to block packets originated from local router using policy-map. Bcos
> it drops ospf neighborship and still if u give static route, it
> matched all the condition in class map that also have permit any any
> (1st is - 10 deny ip host 192.168.3.254 any & 2nd is - 20 permit ip
> any any ). What is does it drops all the packets.
> 
> Thus I feel only way to do this is local PBR.
> 
> Thanks
> Vikas Sharma
> 
> 
> On 6/27/07, Ozgur Guler <ozgur11 at gmail.com> wrote:
>> 
>> You can...
>> 
>>
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_
chapter09186a00804559b3.html
>> 
>> 
>> On 6/27/07, Jeff Tantsura <jeff.tantsura at sscplus.nl> wrote:
>>> 
>>>  Bollocks, I does not. You can't set "drop" action within
>>> policy-map framework 
>>> 
>>> 
>>> 
>>> I don't need a lab for this.
>>> 
>>> 
>>> 
>>> The working config would be:
>>> 
>>> 
>>> 
>>> ip local policy route-map BLAH
>>> 
>>> route-map BLAH
>>> 
>>>  match ip address 101
>>> 
>>>  set interface null0
>>> 
>>> 
>>> 
>>> access-list 101 permit ip host 192.168.5.254 any
>>> access-list 101 deny any any
>>> 
>>> 
>>>   ------------------------------
>>> 
>>> *From:* Ozgur Guler [mailto:ozgur11 at gmail.com]
>>> *Sent:* woensdag 27 juni 2007 14:22
>>> *To:* jeff.tantsura at sscplus.nl
>>> *Cc:* Vikas Sharma; cisco-nsp at puck.nether.net
>>> *Subject:* Re: [c-nsp] Prevent traffic originated from the router
>>> usingaccess-list 
>>> 
>>> 
>>> 
>>> It works.
>>> Just try it in the lab ...
>>> 
>>> 
>>>  On 6/27/07, *Jeff Tantsura* < jeff.tantsura at sscplus.nl > wrote:
>>> 
>>> Hi,
>>> 
>>> It's not going to work, you'd only match on transit traffic, in
>>> order to 
>>> 
>>> match on locally generated traffic you should use local PBR ie:
>>> ip local policy route-map BLAH
>>> 
>>> Jeff
>>> 
>>>> -----Original Message-----
>>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>>>> bounces at puck.nether.net] On Behalf Of Ozgur Guler
>>>> Sent: woensdag 27 juni 2007 13:55
>>>> To: Vikas Sharma
>>>> Cc: cisco-nsp at puck.nether.net
>>>> Subject: Re: [c-nsp] Prevent traffic originated from the router
>>>> usingaccess-list 
>>>> 
>>>> You can drop the relevant traffic with a simple policy-map by
>>>> applying it to an outgoing interface ...
>>>> 
>>>> R2#sh policy-map
>>>>   Policy Map X
>>>>     Class x
>>>>       drop
>>>>     Class class-default
>>>> 
>>>> 
>>>> On 6/27/07, Vikas Sharma < vikassharmas at gmail.com> wrote:
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> How can I stop traffic originated from local router e.g. from
>>>>> loopback interface of router to go any where?
>>>>> 
>>>>> I tried with ACL but it permits the traffic as access-list only
>>>>> stop traffic passing through the router not originated from the
>>>>> router. 
>>>>> 
>>>>> =========
>>>>> access-list 101 deny ip host 192.168.5.254 any
>>>>> access-list 101 permit any any
>>>>> 
>>>>> ip access-group 101 out
>>>>> =========
>>>>> 
>>>>> Using below conf i am able to achieve the objective. In that I
>>>>> have changed the sourse and destination. Thats correct.
>>>>> 
>>>>> But I wanted to know can I achieve the same result using sourse
>>>>> as loopback? 
>>>>> 
>>>>> working conf -
>>>>> ===========
>>>>> access-list 102 deny ip any host 192.168.5.254
>>>>> access-list 102 permit ip any any
>>>>> 
>>>>> ip access-group 102 in
>>>>> ==============
>>>>> 
>>>>> 
>>>>> 
>>>>> THanks
>>>>> Vikas Sharma
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>> 
>>>> _______________________________________________
>>>> cisco-nsp mailing list   cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> 
>>> 
>>> 
>> 
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list