[c-nsp] ip access list rfc1918 help please

Kevin Graham kgraham at industrial-marshmallow.com
Sun Jun 24 13:30:54 EDT 2012 

Do you need to do this via ACLs? For the inbound case, strict unicast RPF would handle this (and more) implicitly. For the outbound, do you have any 1918 routes? If not, just add statics to Null0.

[sent from my mobile]

On Jun 23, 2012, at 3:37 PM, Randy <randy_94108 at yahoo.com> wrote:

> --- On Sat, 6/23/12, Mike <mike-cisconsplist at tiedyenetworks.com> wrote:
> 
>> From: Mike <mike-cisconsplist at tiedyenetworks.com>
>> Subject: [c-nsp] ip access list rfc1918 help please
>> To: "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
>> Date: Saturday, June 23, 2012, 2:42 PM
>> 
>> Howdy,
>> 
>>     I am trying to filter out rfc1918
>> addresses as either source or destination addresses for my
>> pppoe connected subscribers. Each subscriber has a radius
>> item 'Filter-Id' with the name of a filter, with the
>> majority being 'customer_filter1', and it seems that
>> although this is in fact being applied to the virtual-access
>> interfaces per customer, it doesn't work as I expect since I
>> can clearly see traffic from customer -> rfc1918 address
>> space still being forwarded.
>> 
>> Here's a sample 'sh ip interface" showing the filter being
>> applied:
>> 
>> 
>> c7201-bras#sh ip interface virtual-access 190
>> Virtual-Access190 is up, line protocol is up
>>   Interface is unnumbered. Using address of Loopback0
>> (x.x.x.x)
>>   Broadcast address is 255.255.255.255
>>   Peer address is y.y.y.y
>>   MTU is 1492 bytes
>>   Helper address is not set
>>   Directed broadcast forwarding is disabled
>>   Outgoing access list is customer_filter1
>>   Inbound  access list is not set
>> 
>> etc, etc
>> 
>> Here is the filter itself:
>> 
>> ip access-list extended customer_filter1
>> deny   ip host 0.0.0.0 any
>> deny   ip 127.0.0.0 0.255.255.255 any
>> deny   ip 192.0.2.0 0.0.0.255 any
>> deny   ip 224.0.0.0 31.255.255.255 any
>> deny   ip 10.0.0.0 0.255.255.255 any
>> deny   ip 172.16.0.0 0.15.255.255 any
>> deny   ip 192.168.0.0 0.0.255.255 any
>> deny   ip any host 0.0.0.0
>> deny   ip any 127.0.0.0 0.255.255.255
>> deny   ip any 192.0.2.0 0.0.0.255
>> deny   ip any 224.0.0.0 31.255.255.255
>> deny   ip any 10.0.0.0 0.255.255.255
>> deny   ip any 172.16.0.0 0.15.255.255
>> deny   ip any 192.168.0.0 0.0.255.255
>> permit ip any any
>> 
>> Any ideas?
>> 
>> Mike-
> 
> 
> customer-TO-rfc1918 is INBOUND on virtual-access 190
> You have an outbound acl applied. In that regard, I would say it is "working as expected".
> ./Randy
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list