Go CCIE Go!! - A Cisco Certified Internetwork Expert

local policy map matches traffic in an ACL and sets interface to null0.
On 6/30/06, CCIEin2006 wrote: > > Isn’t there also a technique to block locally sourced traffic by using a > local policy map? Maybe someone can share? > > On 6/30/06, anthony.sequeira@thomson.com > wrote: > > > > This is from the 12.2 documentation on how an outbound Access List > > functions (I provided the link below)…. > > “If the access list is outbound, after receiving and routing a packet to > > the outbound interface, the software checks the access list’s criteria > > statements for a match. If the packet is permitted, the software > > transmits the packet. If the packet is denied, the software discards the > > packet.” > > > > Please note that the packet must be received by the router and routed to > > the outbound interface. Note this never happens with locally originated > > traffic. > > > > The simplest way to control Telnet access with an access list is to use > > the access-class command in line configuration mode. > > > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ > > fsecur_c/ftrafwl/scfacls.htm > > > > > > Anthony J Sequeira > > CCIE #15626 > > —–Original Message—– > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > > Koen Zeilstra > > Sent: Friday, June 30, 2006 8:40 AM > > To: ccielab@groupstudy.com > > Subject: router bypasses ACL for locally sourced traffic > > > > Hi Group, > > > > Maybe this has been posted before, however I could not find any > > reference. > > Perhaps other wording is used to describe this. > > > > What would is the explanation for a router bypassing ACL’s applied in > > the > > outgoing direction for locally source traffic? > > > > For example: > > > > > > (R1)e0/0————e0/0(R2) > > > > > > R1 > > > > int e0/0 > > ip access-group ACL out > > ! > > > > ip access-list ext ACL > > deny tcp any any eq telnet > > permit ip any any > > ! > > > > Telnetting from R1 to R2 works fine even with the ACL denying outgoing > > packets destined for port 23. > > > > thanks, > > > > Koen > > > > ———————– > > You will feel hungry again in another hour. > > > > _______________________________________________________________________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > > > > _______________________________________________________________________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html