05-28-2020 01:39 AM
Hi CSC,
Just been labbing something up in CML (which is pretty slick!) and come across something which is actually against what I have always thought on this.
Two routers connected over a medium running simple IPSEC (VTI) VPN between them. VPN terminating on their respective "Outside" interface. I applied an ACL to the Outside Interfaces allowing only ESP, ISAKMP, ICMP between their respective addresses. Now this all worked as expected and I played about with the ACL to test my theory. The Interface ACL is being used/hit when ACL entries reference traffic destined to the Interface IP itself.
I've always believed however that a control plane ACL would need to be used when we are allowing / blocking traffic destined to the actual IP of the physcial interface or is this for specific protocols only / or for ASA?
Why is my interface ACL being processed for traffic destined to the IP of the Interface the ACL is applied to or is this correct behaviour / or because I am using virtual platform for testing?
Solved! Go to Solution.
05-28-2020 02:09 AM
Hello @GRANT3779 ,
in routers this is correct and expected behaviour so it not so uncommon to block a routing protocol adjacency if the appropriate statement is missing.
This is true for inbound ACLs.
Outbound ACLs on routers do not stop traffic originated on the router itself.
This is the difference.
Hope to help
Giuseppe
05-28-2020 02:09 AM
Hello @GRANT3779 ,
in routers this is correct and expected behaviour so it not so uncommon to block a routing protocol adjacency if the appropriate statement is missing.
This is true for inbound ACLs.
Outbound ACLs on routers do not stop traffic originated on the router itself.
This is the difference.
Hope to help
Giuseppe
05-28-2020 02:58 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide