[c-nsp] L2TPv3 and Filtering

Bernd Ueberbacher noc at mynet.at
Tue Apr 8 13:44:26 EDT 2008 

Hi!

I asked almost the same question some time ago and got this answer:

>> Is it possible to interfere the L2TP traffic with access-lists?
>>  

>
> No. Not on the access side.


A bit later I got the explanation:

"AFAIK no. The features applied on ingress are not evaluated on
L3 info. We simply encapsulate the raw L2 frame and ship it over."



Greets,
Bernd








Jeffrey Ollie schrieb:
> I have two 2811 routers that I'm setting up to bridge a L2 VLAN across
> our WAN to support some POS systems that need to be on the same L2
> VLAN.  I've gotten a L2TPv3 tunnel set up between the routers and
> passing packets.  However, I'd like to add an access list to prevent
> traffic like OSPF, PIM, and DHCP from passing across the tunnel.
> However, adding an "ip access-group" command to the interface that is
> connected to the tunnel doesn't seem to block anything.  Here's the
> relevant bits from the config (the other router is identical except
> for IP addresses).  Can anyone show me how to get this filtering
> working properly?  Should I be using something other than L2TPv3?
>
> l2tp-class cafe-class
>  authentication
>  password YYYYYYYYYYYY
>
> pseudowire-class cafe-pseudowire
>  encapsulation l2tpv3
>  protocol l2tpv3 cafe-class
>  ip local interface Loopback0
>
> interface Loopback0
>  ip address XXX.XXX.XXX.XXX 255.255.255.255
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip pim sparse-mode
>
> interface FastEthernet0/1
>  no ip address
>  ip access-group keep-stuff-local in
>  duplex auto
>  speed auto
>  xconnect XXX.XXX.XXX.XXX 39 encapsulation l2tpv3 pw-class cafe-pseudowire
> end
>
> ip access-list extended keep-stuff-local
>  deny   udp any any range bootps bootpc log
>  deny   pim any any log
>  deny   ospf any any log
>  deny   igmp any any log
>  permit ip any any
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list