--- On Sat, 6/23/12, Mike <[email protected]> wrote:
> From: Mike <[email protected]> > Subject: [c-nsp] ip access list rfc1918 help please > To: "'Cisco-nsp'" <[email protected]> > Date: Saturday, June 23, 2012, 2:42 PM > > Howdy, > > I am trying to filter out rfc1918 > addresses as either source or destination addresses for my > pppoe connected subscribers. Each subscriber has a radius > item 'Filter-Id' with the name of a filter, with the > majority being 'customer_filter1', and it seems that > although this is in fact being applied to the virtual-access > interfaces per customer, it doesn't work as I expect since I > can clearly see traffic from customer -> rfc1918 address > space still being forwarded. > > Here's a sample 'sh ip interface" showing the filter being > applied: > > > c7201-bras#sh ip interface virtual-access 190 > Virtual-Access190 is up, line protocol is up > Interface is unnumbered. Using address of Loopback0 > (x.x.x.x) > Broadcast address is 255.255.255.255 > Peer address is y.y.y.y > MTU is 1492 bytes > Helper address is not set > Directed broadcast forwarding is disabled > Outgoing access list is customer_filter1 > Inbound access list is not set > > etc, etc > > Here is the filter itself: > > ip access-list extended customer_filter1 > deny ip host 0.0.0.0 any > deny ip 127.0.0.0 0.255.255.255 any > deny ip 192.0.2.0 0.0.0.255 any > deny ip 224.0.0.0 31.255.255.255 any > deny ip 10.0.0.0 0.255.255.255 any > deny ip 172.16.0.0 0.15.255.255 any > deny ip 192.168.0.0 0.0.255.255 any > deny ip any host 0.0.0.0 > deny ip any 127.0.0.0 0.255.255.255 > deny ip any 192.0.2.0 0.0.0.255 > deny ip any 224.0.0.0 31.255.255.255 > deny ip any 10.0.0.0 0.255.255.255 > deny ip any 172.16.0.0 0.15.255.255 > deny ip any 192.168.0.0 0.0.255.255 > permit ip any any > > Any ideas? > > Mike- customer-TO-rfc1918 is INBOUND on virtual-access 190 You have an outbound acl applied. In that regard, I would say it is "working as expected". ./Randy _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
