[c-nsp] does PBR apply to traffic from connected interfaces to router itself?
Tassos Chatzithomaoglou
achatz at forthnet.gr
Mon Oct 5 15:49:45 EDT 2009
I'm doing some tests and i have a case where a vpdn user is able to send snmp requests to
the router's loopback where he's connected, although i have a route-map under his
vtemplate sending all snmp to null0. I have verified that snmp cannot go outside of router
(so route-map is indeed working), but i had the impression that he shouldn't be able to
snmp anobody, including the router itself.
There is a trick, because vtemplate is using Loopback's ip, but i don't know if that's the
reason snmp is allowed to "bypass" the route-map.
ip access-list extended SNMP-ACL
permit udp any any eq snmp
route-map TEST-ROUTEMAP permit 10
match ip address SNMP-ACL
set interface Null0
interface Virtual-Template1
ip unnumbered Loopback0
ip policy route-map TEST-ROUTEMAP
Router is a 7200 running 12.2(31)SB14.
I'm going to repeat the test using icmp, but it seems quite strange until now.
PS1 : Local PBR is used for router generated traffic (router=src), so it shouldn't have
any effect in my case.
PS2 : I know there are other ways to stop snmp traffic from reaching the router or to
block snmp traffic leaving an interface, but that's not my issue right now.
--
Tassos
More information about the cisco-nsp
mailing list