We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 581 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

295 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hi Rene,

    How can I filter local generated packet in the router ?

  2. Hello Hussein.

    When creating and implementing (extended) access lists, you are specifying how to filter traffic based on source and destination IPs, protocols, ports etc. In order to filter traffic that is generated locally by the router, you just have to determine the IP address from which it is being generated (an IP address of a local physical or loopback interface) and filter it accordingly by applying the access list to the appropriate interface(s).

    You don't have to do anything special for locally generated traffic, just make sure you have the appropriate IP address ranges included in your access lists.

    I hope this has been helpful!

    Laz

  3. Hello LAZ,

    The access-list you just mentioned filter only transit packets even though the source IP address is configured on local physical interface or loopback interface ??

  4. Locally generated traffic will never be checked by outbound access-lists on your interfaces.

    You might be able to filter some outbound locally originated traffic with CoPP policing. I haven't tested this but feel free to try it :slight_smile:

    R1(config) control-plane
    R1(config-cp) service-policy output MY_POLICY_MAP

    Or maybe with some crazy tricks where you redirect traffic like I did in my NAT on a stick example:

  5. Thank you very much Rene,

    I try this policy and it's work :-

    !
    access-list 100 permit icmp host 192.168.45.4 host 192.168.45.5
    !
    !
    class-map match-all 1
     match access-group 100
    !
    policy-map 1
     class 1
      drop
    !
    control-plane
     service-policy output 1
    !

    Thanks again Rene

17 more replies! Ask a question or join the discussion by visiting our Community Forum