Modifying current ACL/Routing Policy for a certain IP

utawakevou · ‎11-17-2004

I have got this ACL and routing policy enabled on one of our router which allow only IP within 10.0.0.0 to and fro selected interfaces

access-list 150 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

access-list 150 permit ip any any

!

route-map invalid_traffic permit 10

match ip address 150

set interface Null0

On each interface we enable this

ip policy route-map invalid_traffic

OK I got this situation where I have to allow ONLY one certain IP - 10.1.140.51 connected from one of the router interface to be excempted from this rule. Do I have to create another ACL and routing policy for that particular interface ?

If so can somebody help me write out a policy for that.

Your help will be very much apreciated

gfullage · ‎11-17-2004

I'm a little confused about what you're trying to do here, are you allowing or denying traffic to and from 10.0.0.0/8, the permit in the route-map and the deny/permit in the ACL is very confusing.

Why would you use policy routing here at all, why not just use a standard ACL and an access-group on the interface? For example, if you want to allow 10.0.0.0/8 traffic and deny everything else, then just do:

access-list 150 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

int

ip access-group 150 in

or if you want to deny 10.0.0.0/8 and allow everything else:

access-list 150 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

access-list 150 permit ip any any

int

ip access-group 150 in

This is a much easier way to configure things, there's no need for route-maps and policy routing.

Depending then on whether you're tryin to deny or permit 10.1.140.51 you just add a line at the top of the above ACL (note you'd have to remove the ACL first and retype the whole thing back in) in the form:

access-list 150 [permit|deny] ip host 10.1.140.51 any

utawakevou · ‎11-18-2004

Ok I think I have to explain my situation a bit clear now. We have enable netflow on all our access routers and found out that most of the traffic shouldn’t be allowed in our network. Most of these traffic are virus/worm related hamering our router processor and memory.

Our setup is such that all internet traffic should point to our cache, then to our firewall where it does the NAT etc. Our internal network is using 10.1.1.0 and so on. Since we currently have problems with our schema - i.e we allocate IP's department wise instead of location and as needed, I figure out that it will be good for us for the time being to only allow any traffic with source and destination IP to be within 10.0.0.0, hence that ACL/Route policy.

It was working fine, Nulling all traffic that doesn’t belong to our network and allow only traffic that should be going through. We are currently setting up a Internet connection from a school library using Linux box with SQUID(10.1.140.51) and have allowed it to go through the firewall for Internet connection. However this connection is coming through one of our current fiber link shared by other connections clients with the routing policy already anabled (invalid_traffic). So what I want to do is allow only 10.1.140.51 to be exempt from the policy.