From: Jeremy (jeremy19@xxxxxxxx)
Date: Thu Sep 13 2001 - 11:18:02 GMT-3
I believe the reason this acl did not function is that acls do not apply to
traffic generated from the router they originate on. This would explain why
placing them on the BJ router would filter a ping from SJ. Maybe I'm not
looking at the question closely enough.
----- Original Message -----
From: "tim wu" <tim_wu@gz.ctil.com>
To: "ccielab" <ccielab@groupstudy.com>
Sent: Monday, September 10, 2001 7:10 PM
Subject: about EACL echo-reply filter
> hi,members
>
> I found a phenomenon.I set a echo-reply filter under SJ serial-port0,when
I ping the loop0 of SJ from BJ,it's not working,alternative,when I set the
same filter under NY serial-port0,it's working.
>
>
> SJ-----------NY--------------BJ
> loop0 s0 s0 s1 s1
>
>
> SJ
>
> inter s 0
> ip access-g 100 out
>
> access-list 100 deny icmp host <SJ_loop0_ip_address> host
<BJ_s1_ip_address> echo-reply
> access-list 100 permit ip any any
>
>
> When I ping loop0 of SJ from BJ, SJ can still echo reply of BJ.
>
>
>
> When I set the same filter under NY serial-port0,EACL can filter
echo-reply successfully.
>
> NY
> inter s0
> ip access-g 100 in
>
> access-list 100 deny icmp host <SJ_loop0_ip_address> host
<BJ_s1_ip_address> echo-reply
> access-list 100 permit ip any any
>
>
>
> So,I get a result,the filter of echo-reply under SJ serial-port is not
useful,the filter shall be set under its upstream router.
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:16 GMT-3