Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
787
Views
5
Helpful
2
Replies

ACL - Traffic directed to Outside Interface - Router

Go to solution
GRANT3779
Spotlight
Spotlight

‎05-28-2020 01:39 AM

Hi CSC,

 

Just been labbing something up in CML (which is pretty slick!) and come across something which is actually against what I have always thought on this.

Two routers connected over a medium running simple IPSEC (VTI) VPN between them. VPN terminating on their respective "Outside" interface. I applied an ACL to the Outside Interfaces allowing only ESP, ISAKMP, ICMP between their respective addresses. Now this all worked as expected and I played about with the ACL to test my theory. The Interface ACL is being  used/hit when ACL entries reference traffic destined to the Interface IP itself.

 

I've always believed however that a control plane ACL would need to be used when we are allowing / blocking traffic destined to the actual IP of the physcial interface or is this for specific protocols only / or for ASA?

 

Why is my interface ACL being processed for traffic destined to the IP of the Interface the ACL is applied to or is this correct behaviour / or because I am using virtual platform for testing?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-28-2020 02:09 AM

Hello @GRANT3779 ,

in routers this is correct and expected behaviour so it not so uncommon to block a routing protocol adjacency if the appropriate statement is missing.

This is true for inbound ACLs.

Outbound ACLs on routers do not stop traffic originated on the router itself.

This is the difference.

 

Hope to help

Giuseppe

View solution in original post

2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-28-2020 02:09 AM

Hello @GRANT3779 ,

in routers this is correct and expected behaviour so it not so uncommon to block a routing protocol adjacency if the appropriate statement is missing.

This is true for inbound ACLs.

Outbound ACLs on routers do not stop traffic originated on the router itself.

This is the difference.

 

Hope to help

Giuseppe

Go to solution
GRANT3779
Spotlight
Spotlight
In response to Giuseppe Larosa

‎05-28-2020 02:58 AM

Thanks Guiseppe, interesting indeed.

Do we know if the same is true for ASA to block traffic destined for the Interface IP? Again, I have always thought control plane ACL but now beginning to wonder..

Cheers
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card