06-27-2019 04:46 PM
Heres the setup: R1(Gi0/0) > Management server.
Simple question. Interface Gi0/0 on R1 has IP 10.254.254.110 and Management Server has IP address 10.254.254.253 (This is in a /24 subnet). The router can ping the management server and vice versa. So heres my question. On R1, under interface gi0/0, there is the config listed below:
(config)# interface gi0/0
(config-if)# ip access-group 101 in
(config-if)# ip access-group 99 out
(config)#ip access-list 101 permit ip 10.254.254.0 0.0.0.255 10.254.254.0 0.0.0.255
(config)#ip access-list 99 deny any any
So my question is, the inbound ACL allows the management server to talk to the Router, but shouldn't the return traffic from the Router back to the Management server be blocked due to the 99 ACL? Or does the Router do a pseudo-stateful type thing where the follow-on traffic is allowed after it is matched by an inbound ACL? Maybe I am just overthinking this but it would be very helpful if someone could explain. Thank you ahead pf time.
06-27-2019 11:11 PM
Hello Whipash2013,
the explanation of observed behaviour is much more simpler:
in Cisco routers outbound ACLs do not block locally originated packets (originated on the router itself).
This is the reason why your ping to the management server is successful even if ACL 99 deny all possible IP traffic.
Hope to help
Giuseppe
06-28-2019 06:10 AM
Perfect!!!
Thank you sir, it was driving me crazy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide