cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
282
Views
5
Helpful
2
Replies
Highlighted
Frequent Contributor

ACL - Traffic directed to Outside Interface - Router

Hi CSC,

 

Just been labbing something up in CML (which is pretty slick!) and come across something which is actually against what I have always thought on this.

Two routers connected over a medium running simple IPSEC (VTI) VPN between them. VPN terminating on their respective "Outside" interface. I applied an ACL to the Outside Interfaces allowing only ESP, ISAKMP, ICMP between their respective addresses. Now this all worked as expected and I played about with the ACL to test my theory. The Interface ACL is being  used/hit when ACL entries reference traffic destined to the Interface IP itself.

 

I've always believed however that a control plane ACL would need to be used when we are allowing / blocking traffic destined to the actual IP of the physcial interface or is this for specific protocols only / or for ASA?

 

Why is my interface ACL being processed for traffic destined to the IP of the Interface the ACL is applied to or is this correct behaviour / or because I am using virtual platform for testing?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Master

Hello @GRANT3779 ,

in routers this is correct and expected behaviour so it not so uncommon to block a routing protocol adjacency if the appropriate statement is missing.

This is true for inbound ACLs.

Outbound ACLs on routers do not stop traffic originated on the router itself.

This is the difference.

 

Hope to help

Giuseppe

View solution in original post

2 REPLIES 2
Highlighted
Hall of Fame Master

Hello @GRANT3779 ,

in routers this is correct and expected behaviour so it not so uncommon to block a routing protocol adjacency if the appropriate statement is missing.

This is true for inbound ACLs.

Outbound ACLs on routers do not stop traffic originated on the router itself.

This is the difference.

 

Hope to help

Giuseppe

View solution in original post

Highlighted

Thanks Guiseppe, interesting indeed.

Do we know if the same is true for ASA to block traffic destined for the Interface IP? Again, I have always thought control plane ACL but now beginning to wonder..

Cheers