RE: router bypasses ACL for locally sourced traffic

From: Scott Morris (swm@emanon.com)
Date: Fri Jun 30 2006 - 09:46:50 ART

• Next message: anthony.sequeira@thomson.com: "RE: router bypasses ACL for locally sourced traffic"
• Previous message: Koen Zeilstra: "RE: Lab re-read"
• Maybe in reply to: Koen Zeilstra: "router bypasses ACL for locally sourced traffic"
• Next in thread: anthony.sequeira@thomson.com: "RE: router bypasses ACL for locally sourced traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It has to do with the order of operations....

Check out:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chap
ter09186a00804fde4d.html

<snip>
Applying Access Lists to Interfaces

For some protocols, you can apply up to two access lists to an interface:
one inbound access list and one outbound access list. With other protocols,
you apply only one access list which checks both inbound and outbound
packets.

If the access list is inbound, when the router receives a packet, the Cisco
IOS software checks the access list's criteria statements for a match. If
the packet is permitted, the software continues to process the packet. If
the packet is denied, the software discards the packet.

If the access list is outbound, after receiving and routing a packet to the
outbound interface, the software checks the access list's criteria
statements for a match. If the packet is permitted, the software transmits
the packet. If the packet is denied, the software discards the packet.

Note Access lists that are applied to interfaces do not filter traffic that
originates from that router.
</snip>

HTH,

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Koen
Zeilstra
Sent: Friday, June 30, 2006 8:40 AM
To: ccielab@groupstudy.com
Subject: router bypasses ACL for locally sourced traffic

Hi Group,

Maybe this has been posted before, however I could not find any reference.
Perhaps other wording is used to describe this.

What would is the explanation for a router bypassing ACL's applied in the
outgoing direction for locally source traffic?

For example:

(R1)e0/0------------e0/0(R2)

R1

int e0/0
  ip access-group ACL out
!

ip access-list ext ACL
  deny tcp any any eq telnet
  permit ip any any
!

Telnetting from R1 to R2 works fine even with the ACL denying outgoing
packets destined for port 23.

thanks,

Koen

-----------------------
You will feel hungry again in another hour.

• Next message: anthony.sequeira@thomson.com: "RE: router bypasses ACL for locally sourced traffic"
• Previous message: Koen Zeilstra: "RE: Lab re-read"
• Maybe in reply to: Koen Zeilstra: "router bypasses ACL for locally sourced traffic"
• Next in thread: anthony.sequeira@thomson.com: "RE: router bypasses ACL for locally sourced traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:34 ART