Re: ACL Inbound/Outbound on the Same interface

Whiplash2013 · ‎06-27-2019

Heres the setup: R1(Gi0/0) > Management server.

Simple question. Interface Gi0/0 on R1 has IP 10.254.254.110 and Management Server has IP address 10.254.254.253 (This is in a /24 subnet). The router can ping the management server and vice versa. So heres my question. On R1, under interface gi0/0, there is the config listed below:

(config)# interface gi0/0

(config-if)# ip access-group 101 in

(config-if)# ip access-group 99 out

(config)#ip access-list 101 permit ip 10.254.254.0 0.0.0.255 10.254.254.0 0.0.0.255

(config)#ip access-list 99 deny any any

So my question is, the inbound ACL allows the management server to talk to the Router, but shouldn't the return traffic from the Router back to the Management server be blocked due to the 99 ACL? Or does the Router do a pseudo-stateful type thing where the follow-on traffic is allowed after it is matched by an inbound ACL? Maybe I am just overthinking this but it would be very helpful if someone could explain. Thank you ahead pf time.

Giuseppe Larosa · ‎06-27-2019

Hello Whipash2013,

the explanation of observed behaviour is much more simpler:

in Cisco routers outbound ACLs do not block locally originated packets (originated on the router itself).

This is the reason why your ping to the management server is successful even if ACL 99 deny all possible IP traffic.

Hope to help

Giuseppe

Whiplash2013 · ‎06-28-2019

Perfect!!!

Thank you sir, it was driving me crazy.