[c-nsp] ip access list rfc1918 help please

Randy randy_94108 at yahoo.com
Sat Jun 23 18:37:12 EDT 2012 

--- On Sat, 6/23/12, Mike <mike-cisconsplist at tiedyenetworks.com> wrote:

> From: Mike <mike-cisconsplist at tiedyenetworks.com>
> Subject: [c-nsp] ip access list rfc1918 help please
> To: "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
> Date: Saturday, June 23, 2012, 2:42 PM
> 
> Howdy,
> 
>     I am trying to filter out rfc1918
> addresses as either source or destination addresses for my
> pppoe connected subscribers. Each subscriber has a radius
> item 'Filter-Id' with the name of a filter, with the
> majority being 'customer_filter1', and it seems that
> although this is in fact being applied to the virtual-access
> interfaces per customer, it doesn't work as I expect since I
> can clearly see traffic from customer -> rfc1918 address
> space still being forwarded.
> 
> Here's a sample 'sh ip interface" showing the filter being
> applied:
> 
> 
> c7201-bras#sh ip interface virtual-access 190
> Virtual-Access190 is up, line protocol is up
>   Interface is unnumbered. Using address of Loopback0
> (x.x.x.x)
>   Broadcast address is 255.255.255.255
>   Peer address is y.y.y.y
>   MTU is 1492 bytes
>   Helper address is not set
>   Directed broadcast forwarding is disabled
>   Outgoing access list is customer_filter1
>   Inbound  access list is not set
> 
> etc, etc
> 
> Here is the filter itself:
> 
> ip access-list extended customer_filter1
>  deny   ip host 0.0.0.0 any
>  deny   ip 127.0.0.0 0.255.255.255 any
>  deny   ip 192.0.2.0 0.0.0.255 any
>  deny   ip 224.0.0.0 31.255.255.255 any
>  deny   ip 10.0.0.0 0.255.255.255 any
>  deny   ip 172.16.0.0 0.15.255.255 any
>  deny   ip 192.168.0.0 0.0.255.255 any
>  deny   ip any host 0.0.0.0
>  deny   ip any 127.0.0.0 0.255.255.255
>  deny   ip any 192.0.2.0 0.0.0.255
>  deny   ip any 224.0.0.0 31.255.255.255
>  deny   ip any 10.0.0.0 0.255.255.255
>  deny   ip any 172.16.0.0 0.15.255.255
>  deny   ip any 192.168.0.0 0.0.255.255
>  permit ip any any
> 
> Any ideas?
> 
> Mike-


customer-TO-rfc1918 is INBOUND on virtual-access 190
You have an outbound acl applied. In that regard, I would say it is "working as expected".
./Randy

More information about the cisco-nsp mailing list