Re: router bypasses ACL for locally sourced traffic

From: CCIEin2006 (ciscocciein2006@gmail.com)
Date: Fri Jun 30 2006 - 10:22:05 ART

• Next message: Ivan: "Re: IP directed broadcast"
• Previous message: CCIEin2006: "IP directed broadcast"
• Maybe in reply to: Koen Zeilstra: "router bypasses ACL for locally sourced traffic"
• Next in thread: Elias Chari: "Re: router bypasses ACL for locally sourced traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Isn't there also a technique to block locally sourced traffic by using a
local policy map? Maybe someone can share?

On 6/30/06, anthony.sequeira@thomson.com <anthony.sequeira@thomson.com>
wrote:
>
> This is from the 12.2 documentation on how an outbound Access List
> functions (I provided the link below)....
> "If the access list is outbound, after receiving and routing a packet to
> the outbound interface, the software checks the access list's criteria
> statements for a match. If the packet is permitted, the software
> transmits the packet. If the packet is denied, the software discards the
> packet."
>
> Please note that the packet must be received by the router and routed to
> the outbound interface. Note this never happens with locally originated
> traffic.
>
> The simplest way to control Telnet access with an access list is to use
> the access-class command in line configuration mode.
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> fsecur_c/ftrafwl/scfacls.htm
>
>
> Anthony J Sequeira
> CCIE #15626
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Koen Zeilstra
> Sent: Friday, June 30, 2006 8:40 AM
> To: ccielab@groupstudy.com
> Subject: router bypasses ACL for locally sourced traffic
>
> Hi Group,
>
> Maybe this has been posted before, however I could not find any
> reference.
> Perhaps other wording is used to describe this.
>
> What would is the explanation for a router bypassing ACL's applied in
> the
> outgoing direction for locally source traffic?
>
> For example:
>
>
> (R1)e0/0------------e0/0(R2)
>
>
> R1
>
> int e0/0
> ip access-group ACL out
> !
>
> ip access-list ext ACL
> deny tcp any any eq telnet
> permit ip any any
> !
>
> Telnetting from R1 to R2 works fine even with the ACL denying outgoing
> packets destined for port 23.
>
> thanks,
>
> Koen
>
> -----------------------
> You will feel hungry again in another hour.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Ivan: "Re: IP directed broadcast"
• Previous message: CCIEin2006: "IP directed broadcast"
• Maybe in reply to: Koen Zeilstra: "router bypasses ACL for locally sourced traffic"
• Next in thread: Elias Chari: "Re: router bypasses ACL for locally sourced traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:34 ART