06-27-2019 04:46 PM
Heres the setup: R1(Gi0/0) > Management server.
Simple question. Interface Gi0/0 on R1 has IP 10.254.254.110 and Management Server has IP address 10.254.254.253 (This is in a /24 subnet). The router can ping the management server and vice versa. So heres my question. On R1, under interface gi0/0, there is the config listed below:
(config)# interface gi0/0
(config-if)# ip access-group 101 in
(config-if)# ip access-group 99 out
(config)#ip access-list 101 permit ip 10.254.254.0 0.0.0.255 10.254.254.0 0.0.0.255
(config)#ip access-list 99 deny any any
So my question is, the inbound ACL allows the management server to talk to the Router, but shouldn't the return traffic from the Router back to the Management server be blocked due to the 99 ACL? Or does the Router do a pseudo-stateful type thing where the follow-on traffic is allowed after it is matched by an inbound ACL? Maybe I am just overthinking this but it would be very helpful if someone could explain. Thank you ahead pf time.
06-27-2019 11:11 PM
Hello Whipash2013,
the explanation of observed behaviour is much more simpler:
in Cisco routers outbound ACLs do not block locally originated packets (originated on the router itself).
This is the reason why your ping to the management server is successful even if ACL 99 deny all possible IP traffic.
Hope to help
Giuseppe
06-28-2019 06:10 AM
Perfect!!!
Thank you sir, it was driving me crazy.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: