Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1512
Views
0
Helpful
5
Replies

How does router bypass ACLs for it's own Interfaces

Go to solution
Ivan Mamka
Level 1
Level 1

‎12-07-2020 11:33 AM

Hello,

 

I'm doing practice tests, and in one of them there  is this thing (it does not mention about how exactly ACL looks):

 

(config) int gig0/0

(config-if) ip access-group 1 in

(config-if) ip access-group 1 out

(config-if) ip address 1.1.1.1 255.255.255.0

 

So in the answer it tells that: router bypasses the ACL logic for it's own outbound ACLs for packets created by that router. Routers do not make any kind of exception for inbound packets. If enabled outbound ACL, ping 1.1.1.1 from router itself would bypass OUT ACL, but would not bypass IN ACL.

 

I'm trying that on PT, but if my ACL looks like bellow, I still can do ping 1.1.1.1 with both OUT & IN enabled.

 

(config) access-list 1 deny any

 

Thanks in advance!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to Ivan Mamka

‎12-07-2020 12:10 PM

Hello,

 

Packet Tracer does not feature 'real' routers, so a lot of things don't work as expected.

 

The below config:

 

interface GigabitEthernet0/0

ip address 1.1.1.1 255.255.255.0

ip access-group 1 in

ip access-group 1 out

!

access-list 1 deny any

 

blocks all traffic, on a 'real' router. You would not be able to ping 1.1.1.1.

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Georg Pauwen

‎12-07-2020 02:30 PM

True that you would not be able to ping 1.1.1.1. But would 1.1.1.1 be able to send to something else - for example 1.1.1.15? Would access-group 1 out prevent this?

 

No it does not prevent 1.1.1.1 sending out a packet on this interface.

 

In this situation the ping from 1.1.1.1 to 1.1.1.15 would fail. But it fails because of the access-group 1 in. If there were only access-group 1 out then the ping would be successful.

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Georg Pauwen
VIP
VIP

‎12-07-2020 11:38 AM

Hello,

 

what does access list 1 specify ?

 

access-list 1 deny ????

0 Helpful

Go to solution
Ivan Mamka
Level 1
Level 1
In response to Georg Pauwen

‎12-07-2020 11:41 AM

acces-list 1 deny any

 

So I believe that would filter all the packets?

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Ivan Mamka

‎12-07-2020 12:10 PM

Hello,

 

Packet Tracer does not feature 'real' routers, so a lot of things don't work as expected.

 

The below config:

 

interface GigabitEthernet0/0

ip address 1.1.1.1 255.255.255.0

ip access-group 1 in

ip access-group 1 out

!

access-list 1 deny any

 

blocks all traffic, on a 'real' router. You would not be able to ping 1.1.1.1.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Georg Pauwen

‎12-07-2020 02:30 PM

True that you would not be able to ping 1.1.1.1. But would 1.1.1.1 be able to send to something else - for example 1.1.1.15? Would access-group 1 out prevent this?

 

No it does not prevent 1.1.1.1 sending out a packet on this interface.

 

In this situation the ping from 1.1.1.1 to 1.1.1.15 would fail. But it fails because of the access-group 1 in. If there were only access-group 1 out then the ping would be successful.

HTH

Rick
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎12-09-2020 03:22 PM

The aspect of how an access list treats traffic originated by the router itself is not clearly addressed in most documentation. So this has been an interesting discussion. I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card