Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5494
Views
1
Helpful
5
Replies

ACLs never apply to traffic generated by the router

zillah2004
Level 1
Level 1

‎01-30-2006 07:49 AM - edited ‎03-03-2019 01:37 AM

http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4&rl=1

"Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual".

Is it (the return packet, however, will be blocked as usual) the case all the time ? if it is the case could you please explain ?

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎01-30-2006 08:03 AM

While I might have phrased it slightly differently, yes it is the case all the time: a router ACL can never block packets generated by the router itself. An outbound ACL can block packets which transit through the router but can not block packets generated by the router.

The special note discusses a particular case: where there is an outbound ACL and an inbound ACL and they both deny all traffic. In this case the outbound ACL can deny transit traffic but can not deny packets generated by the router which will be transmitted. The inbound ACL will deny all traffic.

HTH

Rick

HTH

Rick

zillah2004
Level 1
Level 1
In response to Richard Burts

‎01-30-2006 10:31 AM

Thanks Rick,,,I need some clarification about the below scenario please:

suppose I have got R1 (one of many routers) with two interfaces serial0/0 and e0/0,,,the ip address for serial0/0 192.168.0.1/24

the ip address for e0/0 172.16.0.1/16.

R1(config)=access-list 101 deny ip any any

R1(config)#interafec serial 0/0

R1(config-if)#ip access-group out

R1(config)=access-list 150 deny ip any any

R1(config)#interafec fastethernet 0/0

R1(config-if)#ip access-group in

Now we satisfied the condition which it says: "where there is an outbound ACL and an inbound ACL and they both deny all traffic".

1- ((The inbound ACL will deny all traffic)).

This is obvious because any packet trys to enter the router R1, the ACL will check both ip addresses for the source (any) and destination (can be one of the interfaces belong to R1),,,,because it match the condition for ACL, it will be dropped.

2- ((In this case the outbound ACL can deny transit traffic, but can not deny packets generated by the router which will be transmitted)).

This first paragraph (In this case the outbound ACL can deny transit traffic) is fine,,,the second one which is : " but can not deny packets generated by the router which will be transmitted",,,,,,,my understanding is this when packets generated by router R1, these packets have got source ip address and destination ip address.

The source and destination ip addresses still matching the condition of ACL , why should't it be

denied ?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to zillah2004

‎01-30-2006 11:28 AM

The short answer is that it acts this way because that is the way that Cisco designed IOS. It gives the router a way to bypass the access list for its own traffic.

I agree that it is logical to assume that if the addresses of the packet match the statements in the access list that the packet should be dropped. But that is not the way that IOS works. I suggest that you set up a simple test. Configure your R1 as you have suggested with the outbound ACL on serial0/0. Then turn on debug ip icmp on the neighbor router on the serial interface. Then from R1 ping the serial interface of the neighbor on serial0/0. The debug on the neighbor will reveal that the ping packets are being sent from R1. Or configure some dynamic routing protocol on R1 to run on the serial interface. Then look on the neighbor router on the serial interface and see if you are receiving routing protocol packets.

HTH

Rick

HTH

Rick
0 Helpful

zillah2004
Level 1
Level 1
In response to Richard Burts

‎01-30-2006 08:42 PM

Thanks Rick for this explaination

Could you please tell me what is the sourcs ip address for packets that generated by a router ?

0 Helpful

zillah2004
Level 1
Level 1
In response to zillah2004

‎01-31-2006 07:57 AM

((In this case the outbound ACL can deny transit traffic but can not deny packets generated by the router which will be transmitted.))

I read another article :

" Now all locally generated {routing protocol traffic, telnet, ping, etc} traffic is tread as transit traffic "

Is there any pitfall about transit traffic ?

0 Helpful
Customers Also Viewed These Support Documents