Hi! I asked almost the same question some time ago and got this answer:
>> Is it possible to interfere the L2TP traffic with access-lists? >> > > No. Not on the access side. A bit later I got the explanation: "AFAIK no. The features applied on ingress are not evaluated on L3 info. We simply encapsulate the raw L2 frame and ship it over." Greets, Bernd Jeffrey Ollie schrieb: > I have two 2811 routers that I'm setting up to bridge a L2 VLAN across > our WAN to support some POS systems that need to be on the same L2 > VLAN. I've gotten a L2TPv3 tunnel set up between the routers and > passing packets. However, I'd like to add an access list to prevent > traffic like OSPF, PIM, and DHCP from passing across the tunnel. > However, adding an "ip access-group" command to the interface that is > connected to the tunnel doesn't seem to block anything. Here's the > relevant bits from the config (the other router is identical except > for IP addresses). Can anyone show me how to get this filtering > working properly? Should I be using something other than L2TPv3? > > l2tp-class cafe-class > authentication > password YYYYYYYYYYYY > > pseudowire-class cafe-pseudowire > encapsulation l2tpv3 > protocol l2tpv3 cafe-class > ip local interface Loopback0 > > interface Loopback0 > ip address XXX.XXX.XXX.XXX 255.255.255.255 > no ip redirects > no ip unreachables > no ip proxy-arp > ip pim sparse-mode > > interface FastEthernet0/1 > no ip address > ip access-group keep-stuff-local in > duplex auto > speed auto > xconnect XXX.XXX.XXX.XXX 39 encapsulation l2tpv3 pw-class cafe-pseudowire > end > > ip access-list extended keep-stuff-local > deny udp any any range bootps bootpc log > deny pim any any log > deny ospf any any log > deny igmp any any log > permit ip any any > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
