Do you need to do this via ACLs? For the inbound case, strict unicast RPF would handle this (and more) implicitly. For the outbound, do you have any 1918 routes? If not, just add statics to Null0.
[sent from my mobile] On Jun 23, 2012, at 3:37 PM, Randy <[email protected]> wrote: > --- On Sat, 6/23/12, Mike <[email protected]> wrote: > >> From: Mike <[email protected]> >> Subject: [c-nsp] ip access list rfc1918 help please >> To: "'Cisco-nsp'" <[email protected]> >> Date: Saturday, June 23, 2012, 2:42 PM >> >> Howdy, >> >> I am trying to filter out rfc1918 >> addresses as either source or destination addresses for my >> pppoe connected subscribers. Each subscriber has a radius >> item 'Filter-Id' with the name of a filter, with the >> majority being 'customer_filter1', and it seems that >> although this is in fact being applied to the virtual-access >> interfaces per customer, it doesn't work as I expect since I >> can clearly see traffic from customer -> rfc1918 address >> space still being forwarded. >> >> Here's a sample 'sh ip interface" showing the filter being >> applied: >> >> >> c7201-bras#sh ip interface virtual-access 190 >> Virtual-Access190 is up, line protocol is up >> Interface is unnumbered. Using address of Loopback0 >> (x.x.x.x) >> Broadcast address is 255.255.255.255 >> Peer address is y.y.y.y >> MTU is 1492 bytes >> Helper address is not set >> Directed broadcast forwarding is disabled >> Outgoing access list is customer_filter1 >> Inbound access list is not set >> >> etc, etc >> >> Here is the filter itself: >> >> ip access-list extended customer_filter1 >> deny ip host 0.0.0.0 any >> deny ip 127.0.0.0 0.255.255.255 any >> deny ip 192.0.2.0 0.0.0.255 any >> deny ip 224.0.0.0 31.255.255.255 any >> deny ip 10.0.0.0 0.255.255.255 any >> deny ip 172.16.0.0 0.15.255.255 any >> deny ip 192.168.0.0 0.0.255.255 any >> deny ip any host 0.0.0.0 >> deny ip any 127.0.0.0 0.255.255.255 >> deny ip any 192.0.2.0 0.0.0.255 >> deny ip any 224.0.0.0 31.255.255.255 >> deny ip any 10.0.0.0 0.255.255.255 >> deny ip any 172.16.0.0 0.15.255.255 >> deny ip any 192.168.0.0 0.0.255.255 >> permit ip any any >> >> Any ideas? >> >> Mike- > > > customer-TO-rfc1918 is INBOUND on virtual-access 190 > You have an outbound acl applied. In that regard, I would say it is "working > as expected". > ./Randy > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
