cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
193
Views
5
Helpful
2
Replies
Highlighted
Beginner

ACL Inbound/Outbound on the Same interface

Heres the setup:  R1(Gi0/0) > Management server.

 

Simple question. Interface Gi0/0 on R1 has IP 10.254.254.110 and Management Server has IP address 10.254.254.253 (This is in a /24 subnet). The router can ping the management server and vice versa. So heres my question. On R1, under interface gi0/0, there is the config listed below:

(config)# interface gi0/0

(config-if)# ip access-group 101 in

(config-if)# ip access-group 99 out

 

(config)#ip access-list 101 permit ip 10.254.254.0 0.0.0.255 10.254.254.0 0.0.0.255

(config)#ip access-list 99 deny any any

 

 

So my question is, the inbound ACL allows the management server to talk to the Router, but shouldn't the return traffic from the Router back to the Management server be blocked due to the 99 ACL? Or does the Router do a pseudo-stateful type thing where the follow-on traffic is allowed after it is matched by an inbound ACL? Maybe I am just overthinking this but it would be very helpful if someone could explain. Thank you ahead pf time.

Everyone's tags (1)
2 REPLIES 2
Hall of Fame Expert

Re: ACL Inbound/Outbound on the Same interface

Hello Whipash2013,

the explanation of observed behaviour is much more simpler:

in Cisco routers outbound ACLs do not block locally originated packets (originated on the router itself).

This is the reason why your ping to the management server is successful even if ACL 99 deny all possible IP traffic.

 

Hope to help

Giuseppe

 

Beginner

Re: ACL Inbound/Outbound on the Same interface

Perfect!!!

 

Thank you sir, it was driving me crazy.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards