ACL's on Loopback or Multilink interface?

I am not sure about this but I don;t think that you can apply IP access lists to non IP intefaces.

So if your Multicast interface has

no ip address

then no acl.

What forced this scheme anyway?

You should apply "IP INSPECT" and "IP ACCESS-GROUP" statements on interfaces, where you have IP address configured. If you don't have a PBR (Policy Based Routing) configured for your Loopback interface, the traffic never hits Loopback, it could be used for internal routing or for routing advertisements. Basically you may apply proper access-lists on all interfaces, but you should be careful when you create a traffic pattern - for inbound access-lists it would be one pattern, and for outbound access-list for the same interface it will be another pattern.

Good luck,

Mike

------ Cisco IP Phone Headset Adapters

Thanks for the replies, but I'm not sure I understand. You're saying that even if I create an ACL and apply it to Lo2, I still need to force inbound traffic on ISP1 to hit the Loopback? Wouldn't this happen normally based on routing table lookup when the destination IP is within the /26 on Lo2, as in the case of the static NAT I have setup? The static NAT is working, so I'm really just trying to figure out where to apply an inbound ACL to filter traffic destined to 5.5.6.64 /26.

Here's a partial config of what I have working successfully.

interface Loopback2 description Virtual Interface - ISP1 WAN Address block ip address 5.5.6.65 255.255.255.192 ! interface Multilink1 description ISP1 Multilink connection ip address 5.5.5.2 255.255.255.252 ip nat outside ppp multilink ppp multilink fragment disable ppp multilink group 1 ! interface GigabitEthernet0/0 description To LAN ip address 10.10.10.254 255.255.255.0 ip nat inside ! interface serial0/0/0:0 description To ISP2 ip address 6.6.6.2 255.255.255.224 ip nat outside ! interface Serial0/0/1:0 no ip address encapsulation ppp ppp multilink ppp multilink group 1 ! interface Serial0/0/2:0 no ip address encapsulation ppp ppp multilink ppp multilink group 1 ! ip route 0.0.0.0 0.0.0.0 5.5.5.1 (ISP1) ip route 0.0.0.0 0.0.0.0 6.6.6.1 50 (ISP2) ! ip nat inside source route-map NAT_MAP_ISP1 interface Loopback2 overload ip nat inside source route-map NAT_MAP_ISP2 interface s0/0/0:0 overload ip nat inside source static 10.10.10.9 5.5.6.100 route-map NAT_MAP_ISP1 ! ip access-list extended nat_rule permit ip 10.10.10.0 0.0.0.255 any ! route-map NAT_MAP_ISP1 permit 10 match ip address nat_rule match interface Multilink1 ! route-map NAT_MAP_ISP2 permit 10 match ip address nat_rule match interface s0/0/0:0

headsetadapter.com wrote:

Thanks for the reply. You're saying that I should filter at the Multilink interface? Hmmm...Will I still be able to filter based on destination IP's in the Lo2 subnet?

Brian

Mart>

Yep.