CCIE - Internetwork Expert's Online Community

Hello,

The solution filters non MPLS traffic, which means it does not filter any VPN traffic.

As the solution to the internet access is to use internet VRF, the traffic to the internet is a VPN traffic, which will not be filterred.

Dan

you might be right ... – interesting

Correct - ACL as spesified in solutions will not block traffic as it is labeled.

(did a test, removed neighbour x.x.x.x send-label on R2 and R3 - this made the ACL denying specified sources) 

R2:
interface Serial1/1:0
 ip address 192.168.1.2 255.255.255.248
 ip access-group BOGON in

Standard IP access list BOGON (Compiled)
    20 deny   0.0.0.0 log
    10 permit 192.168.1.0, wildcard bits 0.0.0.3 log (42 matches)
    30 deny   10.0.0.0, wildcard bits 0.255.255.255 log
    40 deny   127.0.0.0, wildcard bits 0.255.255.255 log
    50 deny   169.254.0.0, wildcard bits 0.0.255.255 log
    60 deny   172.16.0.0, wildcard bits 0.3.255.255 log
    70 deny   192.168.0.0, wildcard bits 0.0.255.255 log
    80 deny   224.0.0.0, wildcard bits 15.255.255.255 log
    90 deny   240.0.0.0, wildcard bits 15.255.255.255 log
    100 permit any (82 matches)

R1: test traffic from 192.168.40.40:

SPRack1R1#traceroute
Protocol :
Target IP address: 34.1.4.4
Source address: 192.168.40.40

  1 13.1.13.3 [MPLS: Label 26 Exp 0] 216 msec 60 msec 236 msec
  2 192.168.1.2 [MPLS: Label 18 Exp 0] 92 msec 212 msec 212 msec
  3 34.1.24.4 24 msec *  248 msec