[c-nsp] L2TPv3 and Filtering
Jeffrey Ollie
jeff at ocjtech.us
Tue Apr 8 12:46:56 EDT 2008
I have two 2811 routers that I'm setting up to bridge a L2 VLAN across
our WAN to support some POS systems that need to be on the same L2
VLAN. I've gotten a L2TPv3 tunnel set up between the routers and
passing packets. However, I'd like to add an access list to prevent
traffic like OSPF, PIM, and DHCP from passing across the tunnel.
However, adding an "ip access-group" command to the interface that is
connected to the tunnel doesn't seem to block anything. Here's the
relevant bits from the config (the other router is identical except
for IP addresses). Can anyone show me how to get this filtering
working properly? Should I be using something other than L2TPv3?
l2tp-class cafe-class
authentication
password YYYYYYYYYYYY
pseudowire-class cafe-pseudowire
encapsulation l2tpv3
protocol l2tpv3 cafe-class
ip local interface Loopback0
interface Loopback0
ip address XXX.XXX.XXX.XXX 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
interface FastEthernet0/1
no ip address
ip access-group keep-stuff-local in
duplex auto
speed auto
xconnect XXX.XXX.XXX.XXX 39 encapsulation l2tpv3 pw-class cafe-pseudowire
end
ip access-list extended keep-stuff-local
deny udp any any range bootps bootpc log
deny pim any any log
deny ospf any any log
deny igmp any any log
permit ip any any
More information about the cisco-nsp
mailing list