From: Koen Zeilstra (koen@koenzeilstra.com)
Date: Fri Jun 30 2006 - 10:59:19 ART
This is clear. But why is this behaviour?
Is it because there is no routing descision made since there is no
incoming interface?
-----------------------
Try to get all of your posthumous medals in advance.
On Fri, 30 Jun 2006, Scott Morris wrote:
| It has to do with the order of operations....
|
| Check out:
|
| http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chap
| ter09186a00804fde4d.html
|
| <snip>
| Applying Access Lists to Interfaces
|
| For some protocols, you can apply up to two access lists to an interface:
| one inbound access list and one outbound access list. With other protocols,
| you apply only one access list which checks both inbound and outbound
| packets.
|
| If the access list is inbound, when the router receives a packet, the Cisco
| IOS software checks the access list's criteria statements for a match. If
| the packet is permitted, the software continues to process the packet. If
| the packet is denied, the software discards the packet.
|
| If the access list is outbound, after receiving and routing a packet to the
| outbound interface, the software checks the access list's criteria
| statements for a match. If the packet is permitted, the software transmits
| the packet. If the packet is denied, the software discards the packet.
|
| Note Access lists that are applied to interfaces do not filter traffic that
| originates from that router.
| </snip>
|
| HTH,
|
|
| Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
| #153, CISSP, et al.
| CCSI/JNCI
| IPExpert CCIE Program Manager
| IPExpert Sr. Technical Instructor
| smorris@ipexpert.com
| http://www.ipexpert.com
|
|
|
| -----Original Message-----
| From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Koen
| Zeilstra
| Sent: Friday, June 30, 2006 8:40 AM
| To: ccielab@groupstudy.com
| Subject: router bypasses ACL for locally sourced traffic
|
| Hi Group,
|
| Maybe this has been posted before, however I could not find any reference.
| Perhaps other wording is used to describe this.
|
| What would is the explanation for a router bypassing ACL's applied in the
| outgoing direction for locally source traffic?
|
| For example:
|
|
| (R1)e0/0------------e0/0(R2)
|
|
| R1
|
| int e0/0
| ip access-group ACL out
| !
|
| ip access-list ext ACL
| deny tcp any any eq telnet
| permit ip any any
| !
|
| Telnetting from R1 to R2 works fine even with the ACL denying outgoing
| packets destined for port 23.
|
| thanks,
|
| Koen
|
| -----------------------
| You will feel hungry again in another hour.
|
| _______________________________________________________________________
| Subscription information may be found at:
| http://www.groupstudy.com/list/CCIELab.html
|
|
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:34 ART