[c-nsp] ip access list rfc1918 help please

Mike mike-cisconsplist at tiedyenetworks.com
Sat Jun 23 17:42:04 EDT 2012


Howdy,

	I am trying to filter out rfc1918 addresses as either source or 
destination addresses for my pppoe connected subscribers. Each 
subscriber has a radius item 'Filter-Id' with the name of a filter, with 
the majority being 'customer_filter1', and it seems that although this 
is in fact being applied to the virtual-access interfaces per customer, 
it doesn't work as I expect since I can clearly see traffic from 
customer -> rfc1918 address space still being forwarded.

Here's a sample 'sh ip interface" showing the filter being applied:


c7201-bras#sh ip interface virtual-access 190
Virtual-Access190 is up, line protocol is up
   Interface is unnumbered. Using address of Loopback0 (x.x.x.x)
   Broadcast address is 255.255.255.255
   Peer address is y.y.y.y
   MTU is 1492 bytes
   Helper address is not set
   Directed broadcast forwarding is disabled
   Outgoing access list is customer_filter1
   Inbound  access list is not set

etc, etc

Here is the filter itself:

ip access-list extended customer_filter1
  deny   ip host 0.0.0.0 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip any host 0.0.0.0
  deny   ip any 127.0.0.0 0.255.255.255
  deny   ip any 192.0.2.0 0.0.0.255
  deny   ip any 224.0.0.0 31.255.255.255
  deny   ip any 10.0.0.0 0.255.255.255
  deny   ip any 172.16.0.0 0.15.255.255
  deny   ip any 192.168.0.0 0.0.255.255
  permit ip any any

Any ideas?

Mike-


More information about the cisco-nsp mailing list