[c-nsp] ip access list rfc1918 help please

Ivan cisco-nsp at itpro.co.nz
Mon Jun 25 02:49:30 EDT 2012


Hi

It is probably also worth looking at RFC5735 for other IP addresses that 
could be filtered.

Ivan

On 24/Jun/2012 10:37 a.m., Randy wrote:
> --- On Sat, 6/23/12, Mike <mike-cisconsplist at tiedyenetworks.com> wrote:
>
>> From: Mike <mike-cisconsplist at tiedyenetworks.com>
>> Subject: [c-nsp] ip access list rfc1918 help please
>> To: "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
>> Date: Saturday, June 23, 2012, 2:42 PM
>>
>> Howdy,
>>
>>      I am trying to filter out rfc1918
>> addresses as either source or destination addresses for my
>> pppoe connected subscribers. Each subscriber has a radius
>> item 'Filter-Id' with the name of a filter, with the
>> majority being 'customer_filter1', and it seems that
>> although this is in fact being applied to the virtual-access
>> interfaces per customer, it doesn't work as I expect since I
>> can clearly see traffic from customer -> rfc1918 address
>> space still being forwarded.
>>
>> Here's a sample 'sh ip interface" showing the filter being
>> applied:
>>
>>
>> c7201-bras#sh ip interface virtual-access 190
>> Virtual-Access190 is up, line protocol is up
>>    Interface is unnumbered. Using address of Loopback0
>> (x.x.x.x)
>>    Broadcast address is 255.255.255.255
>>    Peer address is y.y.y.y
>>    MTU is 1492 bytes
>>    Helper address is not set
>>    Directed broadcast forwarding is disabled
>>    Outgoing access list is customer_filter1
>>    Inbound  access list is not set
>>
>> etc, etc
>>
>> Here is the filter itself:
>>
>> ip access-list extended customer_filter1
>>   deny   ip host 0.0.0.0 any
>>   deny   ip 127.0.0.0 0.255.255.255 any
>>   deny   ip 192.0.2.0 0.0.0.255 any
>>   deny   ip 224.0.0.0 31.255.255.255 any
>>   deny   ip 10.0.0.0 0.255.255.255 any
>>   deny   ip 172.16.0.0 0.15.255.255 any
>>   deny   ip 192.168.0.0 0.0.255.255 any
>>   deny   ip any host 0.0.0.0
>>   deny   ip any 127.0.0.0 0.255.255.255
>>   deny   ip any 192.0.2.0 0.0.0.255
>>   deny   ip any 224.0.0.0 31.255.255.255
>>   deny   ip any 10.0.0.0 0.255.255.255
>>   deny   ip any 172.16.0.0 0.15.255.255
>>   deny   ip any 192.168.0.0 0.0.255.255
>>   permit ip any any
>>
>> Any ideas?
>>
>> Mike-
>
>
> customer-TO-rfc1918 is INBOUND on virtual-access 190
> You have an outbound acl applied. In that regard, I would say it is "working as expected".
> ./Randy
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list