12-07-2020 11:33 AM
Hello,
I'm doing practice tests, and in one of them there is this thing (it does not mention about how exactly ACL looks):
(config) int gig0/0
(config-if) ip access-group 1 in
(config-if) ip access-group 1 out
(config-if) ip address 1.1.1.1 255.255.255.0
So in the answer it tells that: router bypasses the ACL logic for it's own outbound ACLs for packets created by that router. Routers do not make any kind of exception for inbound packets. If enabled outbound ACL, ping 1.1.1.1 from router itself would bypass OUT ACL, but would not bypass IN ACL.
I'm trying that on PT, but if my ACL looks like bellow, I still can do ping 1.1.1.1 with both OUT & IN enabled.
(config) access-list 1 deny any
Thanks in advance!
Solved! Go to Solution.
12-07-2020 12:10 PM
Hello,
Packet Tracer does not feature 'real' routers, so a lot of things don't work as expected.
The below config:
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip access-group 1 in
ip access-group 1 out
!
access-list 1 deny any
blocks all traffic, on a 'real' router. You would not be able to ping 1.1.1.1.
12-07-2020 02:30 PM
True that you would not be able to ping 1.1.1.1. But would 1.1.1.1 be able to send to something else - for example 1.1.1.15? Would access-group 1 out prevent this?
No it does not prevent 1.1.1.1 sending out a packet on this interface.
In this situation the ping from 1.1.1.1 to 1.1.1.15 would fail. But it fails because of the access-group 1 in. If there were only access-group 1 out then the ping would be successful.
12-07-2020 11:38 AM
Hello,
what does access list 1 specify ?
access-list 1 deny ????
12-07-2020 11:41 AM
acces-list 1 deny any
So I believe that would filter all the packets?
12-07-2020 12:10 PM
Hello,
Packet Tracer does not feature 'real' routers, so a lot of things don't work as expected.
The below config:
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip access-group 1 in
ip access-group 1 out
!
access-list 1 deny any
blocks all traffic, on a 'real' router. You would not be able to ping 1.1.1.1.
12-07-2020 02:30 PM
True that you would not be able to ping 1.1.1.1. But would 1.1.1.1 be able to send to something else - for example 1.1.1.15? Would access-group 1 out prevent this?
No it does not prevent 1.1.1.1 sending out a packet on this interface.
In this situation the ping from 1.1.1.1 to 1.1.1.15 would fail. But it fails because of the access-group 1 in. If there were only access-group 1 out then the ping would be successful.
12-09-2020 03:22 PM
The aspect of how an access list treats traffic originated by the router itself is not clearly addressed in most documentation. So this has been an interesting discussion. I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide