Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
0
Helpful
1
Replies

applying outbound ACL on ATM interface

s-durando
Level 1
Level 1

‎05-11-2006 07:16 AM - edited ‎03-03-2019 12:40 PM

I have a Cisco 1841 with the following configuration:

!

interface ATM0/0/0

description Collegamento ADSL BIT PLUS 1,2M/256

bandwidth 256

no ip address

load-interval 30

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

description Mpls ; td-locale ; tgu-locale ; Shasta/ERX1440 ;

mtu 1500

bandwidth 20

ip address 85.42.0.248 255.255.255.0

ip access-group ATM-FILTER out

no snmp trap link-status

pvc 8/35

ubr 240

encapsulation aal5snap

!

!

ip access-list extended ATM-FILTER

deny ip any any

!

!

The imbound ACL doesn't work. I'm still able to ping a remote IP even if I'm exiting through the WAN interface with the deny any ACL applied on it.

In logs below I'm pinging 10.254.4.6 reachable through WAN interface ATM0/0/0.1.

sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

85.0.0.0/24 is subnetted, 1 subnets

C 85.42.0.0 is directly connected, ATM0/0/0.1

10.0.0.0/32 is subnetted, 1 subnets

C 10.39.255.252 is directly connected, Loopback0

S* 0.0.0.0/0 is directly connected, ATM0/0/0.1

ping

Protocol [ip]:

Target IP address: 10.254.4.6

Repeat count [5]: 100

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: loopback 0

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 10.254.4.6, timeout is 2 seconds:

Packet sent with a source address of 10.39.255.252

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Moreover ACL counters don't increase:

01MPIAT1TO10124#sh access-list

Extended IP access list ATM-FILTER

10 deny ip any any

01MPIAT1TO10124#

The same problem persists with different IOS version (12.3(14)T7 and 12.4(7)a).

The same ACL applied in inbound works fine. If I apply it I am disconneted from router because I opened a telnet session from remote site.

Could someone help me?

Thanks

Stefano

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎05-11-2006 07:38 AM

Stefano

You are encountering a basic behavior of IOS: an outbound access list will NOT filter any traffic that is generated BY the router. The outbound access list will filter any traffic that transits the router but not any traffic generated by the router itself.

As you observe an inbound access list will filter all traffic. But an outbound access list will only filter traffic that passes through the router. This is not particularly well documented, but it has always been true in IOS.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents