Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexey2015-06-11 12:57:27
Cisco
Alexey, 2015-06-11 12:57:27

Access-list does not work. What's wrong?

Access-list does not work on the outgoing interface , the
system is very simple cisco router for example 3725 (c3725-adventerprisek9-mz.124-25d) is connected by the FastEthernet0/1 interface to any switch
c5b0a1bcee1a4338ba58f8970b120932.PNG
router R1 configuration

interface Loopback0
 ip address 192.168.2.1 255.255.255.255
!
interface Tunnel0
 ip unnumbered Loopback0
 ip ospf network point-to-point
 ip ospf mtu-ignore
 tunnel source FastEthernet0/1
 tunnel destination 192.168.1.1
!
interface FastEthernet0/1
 ip address 192.168.1.2 255.255.255.0
 ip access-group 100 in
 ip access-group 101 out
 duplex auto
 speed auto
 no shutdown
!
router ospf 1
 router-id 192.168.2.1
 log-adjacency-changes
 network 192.168.2.1 0.0.0.0 area 192.168.1.1
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
access-list 100 deny   gre any any log
access-list 101 deny   gre any any log
no cdp run

in theory, GRE traffic should be blocked, but this does not happen
Wireshark shows that GRE traffic goes beyond FastEthernet0/1
51227ca8163e4fe7b831cf160c7429b9.PNG

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
A
Archangel, 2015-06-17
@Archangel

You are absolutely right. On IOS routers, traffic initiated by the router itself is not ACLed.
If there is such a critical need to keep traffic out, then the easiest option is to wrap targeted traffic on the loopback interface using a local route-map.
ip local policy route-map

Report
A
Alexey, 2015-06-15
@heavenfox

yes, it seems to me once again the 2nd case
, I will read about it in more detail

Report
I
Igor, 2015-06-14
@fredyk

I hope that I won’t say stupidity, but I’ll voice 2 of my versions that come to mind:
1) You can’t hang more than one ACL per interface / protocol / direction
2) ACL does not affect traffic generated by the router itself (your case)

Report
J
John_Alban, 2015-08-28
@John_Alban

Can be blocked at the control-plane policy level. In the current form, it will not work, because. traffic, the router's own traffic will not be filtered. But the incoming tunnel will still not rise, so the task is solved to some extent ..

Similar questions
R
RazorBlade2016-11-10 11:26:53
Can a Cisco router be used as a proxy through NAT? 3Reply
J
John_Nash2019-04-13 21:36:24
Cisco vpn over pptp works crookedly. Where to dig? 2Reply
J
John2016162016-11-24 16:16:07
How to block sites like vk, ok.ru, etc. through Cisco ASA 5505? 2Reply
N
nak-alexey2019-04-23 12:24:03
Why won't the Cisco 7965 phone start? 1Reply
D
Dymok2019-04-27 16:26:31
How to combine three networks using VPN on cisco? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question