From: Brian Dennis (brian@labforge.com)
Date: Sat Apr 05 2003 - 03:10:40 GMT-3
You need to create a local policy and route all packets you want
effected by the outbound ACL (i.e. outbound E0/0) out of a loopback
interface first. Not a pretty solution but it is a solution. See example
below:
Rack1R1#wr t
<snip>
!
hostname Rack1R1
!
interface Loopback0
ip address 10.11.11.11 255.255.255.255
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 100 out
no ip route-cache
!
ip local policy route-map OutACL
!
access-list 1 permit any
access-list 100 deny ip any any
route-map OutACL permit 10
match ip address 1
set interface Loopback0
!
<snip>
end
Rack1R1#sho ip rout
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.11.11.11/32 is directly connected, Loopback0
C 10.1.1.0/24 is directly connected, Ethernet0/0
R 10.22.22.22/32 [120/1] via 10.1.1.2, 00:00:14, Ethernet0/0
Rack1R1#ping 10.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.22.22.22, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Rack1R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R1(config)#no ip local policy route-map OutACL
Rack1R1(config)#^Z
Rack1R1#ping 10.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Rack1R1#
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development -
IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Richard Davidson
Sent: Friday, April 04, 2003 7:36 PM
To: Brian Dennis; 'Richard Davidson'; 'groupstudy'
Subject: RE: local sourced traffic no matching out bound ACL?
Yes, I would love to know how to effect packets
sourced by the router with an acl.
Rich
--- Brian Dennis <brian@5g.net> wrote:
> You are correct in your findings that packets
> sourced by the router are
> not affected by an outbound ACL. If you want packets
> sourced by the
> router to be affected by an outbound ACL let me know
> and I'll show you
> how.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> Director of CCIE Training and Development -
> IPexpert, Inc.
> Mailto: brian@ipexpert.net
> Toll Free: 866.225.8064
> Outside U.S. & Canada: 312.321.6924
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Richard Davidson
> Sent: Friday, April 04, 2003 4:47 PM
> To: groupstudy
> Subject: local sourced traffic no matching out bound
> ACL?
>
> If I have an access-list on E0 that denys all
> traffic
> out and the router has an adjacency with a
> neighboring
> ospf router, how does this route stay up. This
> router
> can still ping neighboring devices out of the E0
> interface. Does the router not follow the interface
> access-list rule? I think it does. What do I do to
> get the router to follow the rules of the
> access-list.
> Any link or explanation would help.
>
> Thanks All.
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:47 GMT-3