Day la mot thread cua Brian Dennis tra loi ve van de ACL out khong filter cac packet sourced tu local router.
You need to create a local policy and route all packets you want effected by the outbound ACL (i.e. outbound E0/0) out of a loopback interface first. Not a pretty solution but it is a solution. See example
below:
Rack1R1#wr t
<snip>
!
hostname Rack1R1
!
interface Loopback0
ip address 10.11.11.11 255.255.255.255
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 100 out
no ip route-cache
!
ip local policy route-map OutACL
!
access-list 1 permit any
access-list 100 deny ip any any
route-map OutACL permit 10
match ip address 1
set interface Loopback0
!
<snip>
end
Rack1R1#sho ip rout
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.11.11.11/32 is directly connected, Loopback0
C 10.1.1.0/24 is directly connected, Ethernet0/0
R 10.22.22.22/32 [120/1] via 10.1.1.2, 00:00:14, Ethernet0/0
Rack1R1#ping 10.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.22.22.22, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) Rack1R1#conf t Enter configuration commands, one per line. End with CNTL/Z. Rack1R1(config)#no ip local policy route-map OutACL Rack1R1(config)#^Z Rack1R1#ping 10.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms Rack1R1#
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development -
IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Richard Davidson
Sent: Friday, April 04, 2003 7:36 PM
To: Brian Dennis; 'Richard Davidson'; 'groupstudy'
Subject: RE: local sourced traffic no matching out bound ACL?
Yes, I would love to know how to effect packets
sourced by the router with an acl.
Rich
--- Brian Dennis <brian@5g.net> wrote:
> You are correct in your findings that packets
> sourced by the router are
> not affected by an outbound ACL. If you want packets
> sourced by the
> router to be affected by an outbound ACL let me know
> and I'll show you
> how.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> Director of CCIE Training and Development -
> IPexpert, Inc.
> Mailto: brian@ipexpert.net
> Toll Free: 866.225.8064
> Outside U.S. & Canada: 312.321.6924
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Richard Davidson
> Sent: Friday, April 04, 2003 4:47 PM
> To: groupstudy
> Subject: local sourced traffic no matching out bound
> ACL?
>
> If I have an access-list on E0 that denys all
> traffic
> out and the router has an adjacency with a
> neighboring
> ospf router, how does this route stay up. This
> router
> can still ping neighboring devices out of the E0
> interface. Does the router not follow the interface access-list rule?
> I think it does. What do I do to get the router to follow the rules
> of the access-list.
> Any link or explanation would help.
>
> Thanks All.
You need to create a local policy and route all packets you want effected by the outbound ACL (i.e. outbound E0/0) out of a loopback interface first. Not a pretty solution but it is a solution. See example
below:
Rack1R1#wr t
<snip>
!
hostname Rack1R1
!
interface Loopback0
ip address 10.11.11.11 255.255.255.255
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 100 out
no ip route-cache
!
ip local policy route-map OutACL
!
access-list 1 permit any
access-list 100 deny ip any any
route-map OutACL permit 10
match ip address 1
set interface Loopback0
!
<snip>
end
Rack1R1#sho ip rout
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.11.11.11/32 is directly connected, Loopback0
C 10.1.1.0/24 is directly connected, Ethernet0/0
R 10.22.22.22/32 [120/1] via 10.1.1.2, 00:00:14, Ethernet0/0
Rack1R1#ping 10.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.22.22.22, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) Rack1R1#conf t Enter configuration commands, one per line. End with CNTL/Z. Rack1R1(config)#no ip local policy route-map OutACL Rack1R1(config)#^Z Rack1R1#ping 10.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.22.22.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms Rack1R1#
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development -
IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Richard Davidson
Sent: Friday, April 04, 2003 7:36 PM
To: Brian Dennis; 'Richard Davidson'; 'groupstudy'
Subject: RE: local sourced traffic no matching out bound ACL?
Yes, I would love to know how to effect packets
sourced by the router with an acl.
Rich
--- Brian Dennis <brian@5g.net> wrote:
> You are correct in your findings that packets
> sourced by the router are
> not affected by an outbound ACL. If you want packets
> sourced by the
> router to be affected by an outbound ACL let me know
> and I'll show you
> how.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> Director of CCIE Training and Development -
> IPexpert, Inc.
> Mailto: brian@ipexpert.net
> Toll Free: 866.225.8064
> Outside U.S. & Canada: 312.321.6924
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Richard Davidson
> Sent: Friday, April 04, 2003 4:47 PM
> To: groupstudy
> Subject: local sourced traffic no matching out bound
> ACL?
>
> If I have an access-list on E0 that denys all
> traffic
> out and the router has an adjacency with a
> neighboring
> ospf router, how does this route stay up. This
> router
> can still ping neighboring devices out of the E0
> interface. Does the router not follow the interface access-list rule?
> I think it does. What do I do to get the router to follow the rules
> of the access-list.
> Any link or explanation would help.
>
> Thanks All.
Comment