[c-nsp] L2TPv3 and Filtering

Jeffrey Ollie jeff at ocjtech.us
Tue Apr 8 12:46:56 EDT 2008


I have two 2811 routers that I'm setting up to bridge a L2 VLAN across
our WAN to support some POS systems that need to be on the same L2
VLAN.  I've gotten a L2TPv3 tunnel set up between the routers and
passing packets.  However, I'd like to add an access list to prevent
traffic like OSPF, PIM, and DHCP from passing across the tunnel.
However, adding an "ip access-group" command to the interface that is
connected to the tunnel doesn't seem to block anything.  Here's the
relevant bits from the config (the other router is identical except
for IP addresses).  Can anyone show me how to get this filtering
working properly?  Should I be using something other than L2TPv3?

l2tp-class cafe-class
 authentication
 password YYYYYYYYYYYY

pseudowire-class cafe-pseudowire
 encapsulation l2tpv3
 protocol l2tpv3 cafe-class
 ip local interface Loopback0

interface Loopback0
 ip address XXX.XXX.XXX.XXX 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim sparse-mode

interface FastEthernet0/1
 no ip address
 ip access-group keep-stuff-local in
 duplex auto
 speed auto
 xconnect XXX.XXX.XXX.XXX 39 encapsulation l2tpv3 pw-class cafe-pseudowire
end

ip access-list extended keep-stuff-local
 deny   udp any any range bootps bootpc log
 deny   pim any any log
 deny   ospf any any log
 deny   igmp any any log
 permit ip any any


More information about the cisco-nsp mailing list