Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
2
Helpful
2
Replies

Catalyst9300 Egress ACL

Go to solution
CHISHIUNG
Level 2
Level 2

‎07-11-2025 02:57 AM

The following ACL is set on the L3SW management interface.
I think it is to control the outgoing communication from L3SW, but in the case of and below, I think it is possible to control the return communication only with access-group 100 in, so I think access-group 200 out is not necessary, but what purpose ACL200 in the out direction is needed?

I would like to know the purpose of ACL200 in the out direction.

 

interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 1.1.1.1 255.255.255.0
ip access-group 100 in
ip access-group 200 out

ip access-list extended 100
10 permit ip 100.0.0.0 0.255.255.255 host 1.1.1.1
20 deny ip any any
ip access-list extended 200
10 permit ip host 1.1.1.1 100.0.0.0 0.255.255.255
20 deny ip any any

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Ruess
VIP
VIP

‎07-11-2025 03:30 AM

Hello,

 

The intent of ACL 200 (as seen by the configuration) is to only allow traffic sourced from a single host of 1.1.1.1 going to the 100.0.0.0/8 network.

The caveat to that is an ACL applied outbound on an interface does not apply to locally sourced traffic from the device, only transit traffic if I remember correctly. So if the Ip address of 1.1.1.1 is on the router then its likely not doing anything. You can append the "log" keyword to see if you're getting hits on it.

Hope this helps

-David

View solution in original post

2 Replies 2

Go to solution
MHM Cisco World
VIP
VIP

‎07-11-2025 03:02 AM - edited ‎07-12-2025 04:10 PM

@David Ruess is correct about ACL OUT point that it not filter traffic originate from interface itself but if you use LO as source of traffic (originate from SW) ACL out apply to egress interface can filter traffic.
thanks

MHM

0 Helpful

Go to solution
David Ruess
VIP
VIP

‎07-11-2025 03:30 AM

Hello,

 

The intent of ACL 200 (as seen by the configuration) is to only allow traffic sourced from a single host of 1.1.1.1 going to the 100.0.0.0/8 network.

The caveat to that is an ACL applied outbound on an interface does not apply to locally sourced traffic from the device, only transit traffic if I remember correctly. So if the Ip address of 1.1.1.1 is on the router then its likely not doing anything. You can append the "log" keyword to see if you're getting hits on it.

Hope this helps

-David

Customers Also Viewed These Support Documents