From: Kevin Baumgartner (kbaumgar@xxxxxxxxx)
Date: Fri Aug 25 2000 - 18:40:14 GMT-3
If you are doing the ping on R1 to R3 the pings will still work.
This is one of the problems with the way output access-lists work
and the processing of packets out of the router.
Packets that are generated by the router will not be filtered when
sent to the output buffer.
The way you should test the ping is try putting another router or
PC on the otherside of R1. Then from there try to ping R3. This
should fail.
I typically don't use output access-list filters. So in you example
put a input filter on R3. Or a input filter on R1 for "echo replies".
Kevin
At 05:15 PM 8/25/00 -0400, you wrote:
>Hello Group
>
>I seem to have problems getting an access-list to work.
>R1 - Ethernet - R2 -Serial -R3 -Lo0
>
>I want to prevent ping from being sent to R3.Lo0.
>
>I wrote
>Router R1
> access-list 101 deny icmp any any echo
> access-list 101 deny icmp any any echo-reply
>and
> int e0
> ip access-group 101 out
>
>Yet my pings still seem to get through
>
>What is wrong ?
>
>BTW will the above access-list also deny all IP traffic due to the
>implicit deny or not ?
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:30 GMT-3