[c-nsp] ip access list rfc1918 help please
Mike
mike-cisconsplist at tiedyenetworks.com
Sat Jun 23 17:42:04 EDT 2012
Howdy,
I am trying to filter out rfc1918 addresses as either source or
destination addresses for my pppoe connected subscribers. Each
subscriber has a radius item 'Filter-Id' with the name of a filter, with
the majority being 'customer_filter1', and it seems that although this
is in fact being applied to the virtual-access interfaces per customer,
it doesn't work as I expect since I can clearly see traffic from
customer -> rfc1918 address space still being forwarded.
Here's a sample 'sh ip interface" showing the filter being applied:
c7201-bras#sh ip interface virtual-access 190
Virtual-Access190 is up, line protocol is up
Interface is unnumbered. Using address of Loopback0 (x.x.x.x)
Broadcast address is 255.255.255.255
Peer address is y.y.y.y
MTU is 1492 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is customer_filter1
Inbound access list is not set
etc, etc
Here is the filter itself:
ip access-list extended customer_filter1
deny ip host 0.0.0.0 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip any host 0.0.0.0
deny ip any 127.0.0.0 0.255.255.255
deny ip any 192.0.2.0 0.0.0.255
deny ip any 224.0.0.0 31.255.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
Any ideas?
Mike-
More information about the cisco-nsp
mailing list