Re: router bypasses ACL for locally sourced traffic

From: Ivan (ivan@iip.net)
Date: Fri Jun 30 2006 - 10:55:09 ART

• Next message: Brian McGahan: "RE: Frame-Relay Static mapping couple Qs"
• Previous message: Victor Cappuccio: "RE: IP directed broadcast"
• Maybe in reply to: Koen Zeilstra: "router bypasses ACL for locally sourced traffic"
• Next in thread: Koen Zeilstra: "RE: router bypasses ACL for locally sourced traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

There is ip local policy route-map command to apply policy routing to localy
generated traffic.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hirp_r/rte_pih.htm#wp1122672

> Isn't there also a technique to block locally sourced traffic by using a
> local policy map? Maybe someone can share?
>
> On 6/30/06, anthony.sequeira@thomson.com <anthony.sequeira@thomson.com>
>
> wrote:
> > This is from the 12.2 documentation on how an outbound Access List
> > functions (I provided the link below)....
> > "If the access list is outbound, after receiving and routing a packet to
> > the outbound interface, the software checks the access list's criteria
> > statements for a match. If the packet is permitted, the software
> > transmits the packet. If the packet is denied, the software discards the
> > packet."
> >
> > Please note that the packet must be received by the router and routed to
> > the outbound interface. Note this never happens with locally originated
> > traffic.
> >
> > The simplest way to control Telnet access with an access list is to use
> > the access-class command in line configuration mode.
> >
> > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> > fsecur_c/ftrafwl/scfacls.htm
> >
> >
> > Anthony J Sequeira
> > CCIE #15626
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Koen Zeilstra
> > Sent: Friday, June 30, 2006 8:40 AM
> > To: ccielab@groupstudy.com
> > Subject: router bypasses ACL for locally sourced traffic
> >
> > Hi Group,
> >
> > Maybe this has been posted before, however I could not find any
> > reference.
> > Perhaps other wording is used to describe this.
> >
> > What would is the explanation for a router bypassing ACL's applied in
> > the
> > outgoing direction for locally source traffic?
> >
> > For example:
> >
> >
> > (R1)e0/0------------e0/0(R2)
> >
> >
> > R1
> >
> > int e0/0
> > ip access-group ACL out
> > !
> >
> > ip access-list ext ACL
> > deny tcp any any eq telnet
> > permit ip any any
> > !
> >
> > Telnetting from R1 to R2 works fine even with the ACL denying outgoing
> > packets destined for port 23.
> >
> > thanks,
> >
> > Koen
> >
> > -----------------------
> > You will feel hungry again in another hour.
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

-- 
Ivan

• Next message: Brian McGahan: "RE: Frame-Relay Static mapping couple Qs"
• Previous message: Victor Cappuccio: "RE: IP directed broadcast"
• Maybe in reply to: Koen Zeilstra: "router bypasses ACL for locally sourced traffic"
• Next in thread: Koen Zeilstra: "RE: router bypasses ACL for locally sourced traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:34 ART