Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1059
Views
5
Helpful
2
Replies

Why doesn't my very simple standard outbound ACL block the ping of the gateway?

Go to solution
Alexisfrjp
Level 1
Level 1

‎05-20-2019 11:35 PM - edited ‎05-20-2019 11:39 PM

Hello,

I am using a router/switch `Cisco C1111-8p with IOS XE 16.8`. I couldn't find any information regarding my problem anywhere.

 

I have 3 VLANs:

  • 1: native/management  192.168.0.0/24
  • 10: dev        192.168.10.0/24
  • 50: Guests   192.168.50.0/24

 

I'd like to block Guests/VLAN50 to communicate with anybody else but Internet.

For that, I created a standard ACL with the subnet of the VLAN50/GUESTS. And I apply this ACL to the SVI of VLAN1/native/management and VLAN10/dev outbound.

conf t
access-list 10 deny 192.168.50.0 0.0.0.255
access-list 10 permit any
end

# VLAN 1 DEFAULT MGMT NATIVE
conf t
vlan 1
interface vlan 1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip access-group 10 out
end

# VLAN 10 / DEV
conf t
vlan 10
name Dev
interface vlan 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip access-group 10 out
end

Ping of a device connected to the VLAN1 native is filtered:

$ ping 192.168.0.200
PING 192.168.0.200 (192.168.0.200) 56(84) bytes of data.
From 192.168.50.1 icmp_seq=1 Packet filtered
From 192.168.50.1 icmp_seq=2 Packet filtered
From 192.168.50.1 icmp_seq=3 Packet filtered

Nevertheless, I still can ping the VLAN1 and VLAN10 gateway `192.168.0.1` and `192.168.10.1`.

$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=17.9 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=30.4 ms

$ ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=255 time=2.73 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=255 time=23.7 ms

 

Why? I've been explained it is because the ACL rule is applied on traffic going through the interface but not the interface itself. I don't understand.

 

Nevertheless, I could get what I want by using a single extended ACL applied to the inbound of the VLAN50 interface.

 

What's the purpose of the standard ACL (or just outbound) if it doesn't cover all the IPs (/24) I set?

What other surprises should I expect?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-21-2019 12:32 AM

Hello Alex,

on a router an outbound ACL is applied only to traffic in transit it cannot block locally generated packets (by the router itself)

 

When you ping the IP addresses of the two other two SVIs Vlan1 and Vlan10 the answer comes back without really exiting to the SVI interface.

This is the reason why you get answer.

 

This is the only exception that applies to the outbound ACL.

No other surprises are expected.

 

Hope to help

Giuseppe

 

View solution in original post

2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-21-2019 12:32 AM

Hello Alex,

on a router an outbound ACL is applied only to traffic in transit it cannot block locally generated packets (by the router itself)

 

When you ping the IP addresses of the two other two SVIs Vlan1 and Vlan10 the answer comes back without really exiting to the SVI interface.

This is the reason why you get answer.

 

This is the only exception that applies to the outbound ACL.

No other surprises are expected.

 

Hope to help

Giuseppe

 

Go to solution
Alexisfrjp
Level 1
Level 1
In response to Giuseppe Larosa

‎05-21-2019 01:15 AM

Perfect! As long as this is solved by using inbound rules, I'm fine.
Thank you for your answer Giuseppe Larosa.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card