Re: [c-nsp] ip access list rfc1918 help please

Sun, 24 Jun 2012 23:53:46 -0700 

Hi
It is probably also worth looking at RFC5735 for other IP addresses that could be filtered. 

Ivan

On 24/Jun/2012 10:37 a.m., Randy wrote:

--- On Sat, 6/23/12, Mike <[email protected]> wrote:


From: Mike <[email protected]>
Subject: [c-nsp] ip access list rfc1918 help please
To: "'Cisco-nsp'" <[email protected]>
Date: Saturday, June 23, 2012, 2:42 PM

Howdy,

     I am trying to filter out rfc1918
addresses as either source or destination addresses for my
pppoe connected subscribers. Each subscriber has a radius
item 'Filter-Id' with the name of a filter, with the
majority being 'customer_filter1', and it seems that
although this is in fact being applied to the virtual-access
interfaces per customer, it doesn't work as I expect since I
can clearly see traffic from customer -> rfc1918 address
space still being forwarded.

Here's a sample 'sh ip interface" showing the filter being
applied:


c7201-bras#sh ip interface virtual-access 190
Virtual-Access190 is up, line protocol is up
   Interface is unnumbered. Using address of Loopback0
(x.x.x.x)
   Broadcast address is 255.255.255.255
   Peer address is y.y.y.y
   MTU is 1492 bytes
   Helper address is not set
   Directed broadcast forwarding is disabled
   Outgoing access list is customer_filter1
   Inbound  access list is not set

etc, etc

Here is the filter itself:

ip access-list extended customer_filter1
  deny   ip host 0.0.0.0 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip any host 0.0.0.0
  deny   ip any 127.0.0.0 0.255.255.255
  deny   ip any 192.0.2.0 0.0.0.255
  deny   ip any 224.0.0.0 31.255.255.255
  deny   ip any 10.0.0.0 0.255.255.255
  deny   ip any 172.16.0.0 0.15.255.255
  deny   ip any 192.168.0.0 0.0.255.255
  permit ip any any

Any ideas?

Mike-



customer-TO-rfc1918 is INBOUND on virtual-access 190
You have an outbound acl applied. In that regard, I would say it is "working as 
expected".
./Randy

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/






















					Reply via email to