cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
875
Views
5
Helpful
2
Replies

Why doesn't my very simple standard outbound ACL block the ping of the gateway?

Alexisfrjp
Level 1
Level 1

Hello,

I am using a router/switch `Cisco C1111-8p with IOS XE 16.8`. I couldn't find any information regarding my problem anywhere.

 

I have 3 VLANs:

  • 1: native/management  192.168.0.0/24
  • 10: dev        192.168.10.0/24
  • 50: Guests   192.168.50.0/24

 

I'd like to block Guests/VLAN50 to communicate with anybody else but Internet.

For that, I created a standard ACL with the subnet of the VLAN50/GUESTS. And I apply this ACL to the SVI of VLAN1/native/management and VLAN10/dev outbound.

conf t
access-list 10 deny 192.168.50.0 0.0.0.255
access-list 10 permit any
end

# VLAN 1 DEFAULT MGMT NATIVE
conf t
vlan 1
interface vlan 1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip access-group 10 out
end

# VLAN 10 / DEV
conf t
vlan 10
name Dev
interface vlan 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip access-group 10 out
end

Ping of a device connected to the VLAN1 native is filtered:

$ ping 192.168.0.200
PING 192.168.0.200 (192.168.0.200) 56(84) bytes of data.
From 192.168.50.1 icmp_seq=1 Packet filtered
From 192.168.50.1 icmp_seq=2 Packet filtered
From 192.168.50.1 icmp_seq=3 Packet filtered

Nevertheless, I still can ping the VLAN1 and VLAN10 gateway `192.168.0.1` and `192.168.10.1`.

$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=17.9 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=30.4 ms

$ ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=255 time=2.73 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=255 time=23.7 ms

 

Why? I've been explained it is because the ACL rule is applied on traffic going through the interface but not the interface itself. I don't understand.

 

Nevertheless, I could get what I want by using a single extended ACL applied to the inbound of the VLAN50 interface.

 

What's the purpose of the standard ACL (or just outbound) if it doesn't cover all the IPs (/24) I set?

What other surprises should I expect?

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Alex,

on a router an outbound ACL is applied only to traffic in transit it cannot block locally generated packets (by the router itself)

 

When you ping the IP addresses of the two other two SVIs Vlan1 and Vlan10 the answer comes back without really exiting to the SVI interface.

This is the reason why you get answer.

 

This is the only exception that applies to the outbound ACL.

No other surprises are expected.

 

Hope to help

Giuseppe

 

View solution in original post

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Alex,

on a router an outbound ACL is applied only to traffic in transit it cannot block locally generated packets (by the router itself)

 

When you ping the IP addresses of the two other two SVIs Vlan1 and Vlan10 the answer comes back without really exiting to the SVI interface.

This is the reason why you get answer.

 

This is the only exception that applies to the outbound ACL.

No other surprises are expected.

 

Hope to help

Giuseppe

 

Perfect! As long as this is solved by using inbound rules, I'm fine.
Thank you for your answer Giuseppe Larosa.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: