Home Page   #javascript  #perl  #c  #openmoko  #php  #ruby-lang  #apache  #cisco  #java  #mysql   Wallpapers Girl
Reliable $1 Web Hosting by 3iX

Channels


#cisco

26 December 2007

Total 21 pages. You are browsing page 4/21.

First :: Prev :: [...] [2] [3] [4] [5] [6] [...] :: Next :: Last

06:16 <****> not if you just want to deny traffic from the router
06:16 <****> neat
06:17 <****> sending the traffic to lo0 is a way to make the router reroute the traffic
06:17 <****> which is good for nat or access-list testing
06:17 <****> you mean making nat environment by a single router (without the need of attaching hosts..etc) ?
06:18 <****> Mahmoud: yeah sure..
06:18 <****> cool, i had this in my mind last year but I applied policies on physical interfaces, which didn't work..
06:18 <****> lets say you have a lock and key access-list and you want to test it without having another router/host hanging off
06:19 <****> send the traffic to lo0 first so that the router proccesses the traffic as if it wasn't locally generated
06:20 <****> super nice
06:20 <****> we had a lab last year in college, and we were running out of routers because of simple nat scenario
06:20 <****> the instructor was trying to do it, but he couldn't, he didn't use route-maps
06:21 <****> the way I did it that time was by ping x.x.x.x source y.y.y.y where y.y.y.y is supposed to be lo0 acting like a host
06:22 <****> which didn't work for sure.. it wasn't internally passing via the loop
06:22 <****> thanks nemith ^_^
06:22 <****> p
06:22 <****> er np
06:23 <****> p == the shortcut of the shortcut np :P
06:31 <****> hmmm not working either
06:34 <****> http://internetworkpro.org/pastebin/1544 <--- the deny route-map thingy
06:36 <****> i dunno
06:37 <****> ACLs on the outbound never filter locally generated traffic, right?
06:37 <****> talking about normal ACLs on interfaces
06:37 <****> sigh
06:38 <****> i think they do because the traffic is still routed
06:39 <****> with dynamips, deny ip any any on outbound of all interfaces allowed them to pass
06:39 <****> mahmoud, i'm just guessing, can you try it?
06:39 <****> wanted to make sure that this is not another weird result similar to the ip locap policy route-map issue i had minutes ago
06:39 <****> i tried it, and it was permitted (the outbound acls)
06:40 <****> i don't think it should be, let me try
06:40 <****> but this could mean nothing as i tried the local policy route-map and it was still permitted as well, which souldn't happen
06:43 <****> dwxreaper, keep me updated =] thx
06:43 <****> 1 sek
06:44 <****> mahmoud, yeah you're right
06:45 <****> it doesn't match outbound
06:45 <****> did you use dynamips?
06:45 <****> no a real router
06:45 <****> guess it has to be actually go through the ingress interface
06:45 <****> cool, can you try the ip local policy route-map foo where foo is a deny route policy matching a permit ip any any ACL? if you have time
06:46 <****> dwxreaper, samething with the pix, it can't filter outbound (no such command)
06:46 <****> i was using acl's applied outbound ona 3560
06:46 <****> this is production equipment, don't wanna mess with shit i don't know sorry :P
06:47 <****> lol, it's fine, i didn't know it's production
06:47 <****> omg you made that test on the production router..
06:47 <****> maybe i am not doing what you're thinking
06:47 <****> i tested if an acl matches packets sent from the router itself, if the acl is applied outbound
06:48 <****> how did you make that test?
06:48 <****> i sent a ping sourced from the router itself, the ping had to go out the interface with the acl applied outbound
06:48 <****> and the acl had a deny statement for that source ip
06:49 <****> i see
06:49 <****> that's what you were talking about right
06:49 <****> exactly
06:49 <****> an acl not a route map
06:49 <****> i just had pie
06:49 <****> k
06:50 <****> dwxreaper, you can put a route-map with a deny statement for that weirdo source IP as well :P
06:50 <****> it was god.
06:50 <****> good, too.
06:50 <****> how do you block that, an acl applied to the control-plane?
06:51 <****> dwxreaper, i'm not sure of other ways, the only way I know so far is "router(config)# ip local policy route-map FOO" where foo is a route-map with deny statement matching certain IP packets
06:51 <****> the acl would be permit statement, but the route-map a deny
06:52 <****> in route map there is no deny all, but if it gets denied in acl, it doesn't match against the next route map stanza right?
06:52 <****> there is, but the default is permit, that's why many people don't mention the "permit deny"
06:53 <****> will be equal to: router(config)# route-map foo permit
06:54 <****> ok but default there is no deny all in the route-map itself
06:54 <****> just if route map matches an acl, thent here is deny at the end
06:54 <****> in your pastebin i don't see it applied inbound or outbound from the router
06:55 <****> so how does it know to match versus the acl
06:55 <****> exactly
06:55 <****> sheesh
06:57 <****> dwxreaper, in my paste, where the route-map is created, there's a "deny"
06:57 <****> probably you are looking at where I applied it, not created it?
06:57 <****> mahmoud, yeah i gotcha, there is no deny all by default like an access-list though
06:58 <****> no there is actually
06:58 <****> if nothing is matched, it's a deny all
06:58 <****> ah, ok thanks
06:58 <****> in a route map there is no implicit action
06:58 <****> like an acl
06:59 <****> try it your self on routing updates
06:59 <****> yeah there is no deny
06:59 <****> you tell it what to do, to set the route a certain way
06:59 <****> or whatever action you're doing
06:59 <****> yeah
07:00 <****> just like an ACL permit any, you can define an empty route-map permit, otherwise it's a implicit deny any
07:00 <****> no one trusts me here :P
07:00 <****> yeah, and if it doesnt match anything in the route map, then it acts just as if that route map didnt exist
07:01 <****> if it doesn't match any, the router will drop the packet, that's why in configurations you put another dummy empty one to make it pass (in case you don't want implicit deny)
07:01 <****> yeah, so there's no deny
07:01 <****> an empty route-map permit matches everything on the contrary
07:01 <****> and by default there is no empty route-map
07:02 <****> and if it matches nothing, then it is permitted :)
07:02 <****> put it the way you like, it's your knowledge :-P otherwise try it practically if you don't trust me
07:02 <****> that made no sense.
07:02 <****> mahmoud, humbug is right
07:02 <****> but ok
07:03 <****> indeed.
07:03 <****> it happens once in a while
07:03 <****> sigh
07:03 <****> say you apply a route map to a routing update, if it doesn't match the route-map stanza's, nothing changed
07:03 <****> in BGP if a route-map is applied, anything that doesn't match is denied if there is no permit everything clause


Total 21 pages. You are browsing page 4/21.

First :: Prev :: [...] [2] [3] [4] [5] [6] [...] :: Next :: Last

Tutti i nuovi CAP Italiani. Come ottenere il database completo