01-30-2006 07:49 AM - edited 03-03-2019 01:37 AM
http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4&rl=1
"Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual".
Is it (the return packet, however, will be blocked as usual) the case all the time ? if it is the case could you please explain ?
01-30-2006 08:03 AM
While I might have phrased it slightly differently, yes it is the case all the time: a router ACL can never block packets generated by the router itself. An outbound ACL can block packets which transit through the router but can not block packets generated by the router.
The special note discusses a particular case: where there is an outbound ACL and an inbound ACL and they both deny all traffic. In this case the outbound ACL can deny transit traffic but can not deny packets generated by the router which will be transmitted. The inbound ACL will deny all traffic.
HTH
Rick
01-30-2006 10:31 AM
Thanks Rick,,,I need some clarification about the below scenario please:
suppose I have got R1 (one of many routers) with two interfaces serial0/0 and e0/0,,,the ip address for serial0/0 192.168.0.1/24
the ip address for e0/0 172.16.0.1/16.
R1(config)=access-list 101 deny ip any any
R1(config)#interafec serial 0/0
R1(config-if)#ip access-group out
R1(config)=access-list 150 deny ip any any
R1(config)#interafec fastethernet 0/0
R1(config-if)#ip access-group in
Now we satisfied the condition which it says: "where there is an outbound ACL and an inbound ACL and they both deny all traffic".
1- ((The inbound ACL will deny all traffic)).
This is obvious because any packet trys to enter the router R1, the ACL will check both ip addresses for the source (any) and destination (can be one of the interfaces belong to R1),,,,because it match the condition for ACL, it will be dropped.
2- ((In this case the outbound ACL can deny transit traffic, but can not deny packets generated by the router which will be transmitted)).
This first paragraph (In this case the outbound ACL can deny transit traffic) is fine,,,the second one which is : " but can not deny packets generated by the router which will be transmitted",,,,,,,my understanding is this when packets generated by router R1, these packets have got source ip address and destination ip address.
The source and destination ip addresses still matching the condition of ACL , why should't it be
denied ?
01-30-2006 11:28 AM
The short answer is that it acts this way because that is the way that Cisco designed IOS. It gives the router a way to bypass the access list for its own traffic.
I agree that it is logical to assume that if the addresses of the packet match the statements in the access list that the packet should be dropped. But that is not the way that IOS works. I suggest that you set up a simple test. Configure your R1 as you have suggested with the outbound ACL on serial0/0. Then turn on debug ip icmp on the neighbor router on the serial interface. Then from R1 ping the serial interface of the neighbor on serial0/0. The debug on the neighbor will reveal that the ping packets are being sent from R1. Or configure some dynamic routing protocol on R1 to run on the serial interface. Then look on the neighbor router on the serial interface and see if you are receiving routing protocol packets.
HTH
Rick
01-30-2006 08:42 PM
Thanks Rick for this explaination
Could you please tell me what is the sourcs ip address for packets that generated by a router ?
01-31-2006 07:57 AM
((In this case the outbound ACL can deny transit traffic but can not deny packets generated by the router which will be transmitted.))
I read another article :
" Now all locally generated {routing protocol traffic, telnet, ping, etc} traffic is tread as transit traffic "
Is there any pitfall about transit traffic ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide