RE: router bypasses ACL for locally sourced traffic

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Fri Jun 30 2006 - 11:03:30 ART

• Next message: Daniel Fredrick: "Re: IEW Worbook lab 5 question"
• Previous message: Curt Gregg \(cugregg\): "RE: Frame-Relay Static mapping couple Qs"
• Maybe in reply to: Koen Zeilstra: "router bypasses ACL for locally sourced traffic"
• Next in thread: CCIEin2006: "Re: router bypasses ACL for locally sourced traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

See this thread on reflexive ACLs:

http://www.groupstudy.com/archives/ccielab/200311/msg01170.html

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> CCIEin2006
> Sent: Friday, June 30, 2006 8:22 AM
> To: anthony.sequeira@thomson.com
> Cc: koen@koenzeilstra.com; ccielab@groupstudy.com
> Subject: Re: router bypasses ACL for locally sourced traffic
>
> Isn't there also a technique to block locally sourced traffic by using
a
> local policy map? Maybe someone can share?
>
> On 6/30/06, anthony.sequeira@thomson.com
<anthony.sequeira@thomson.com>
> wrote:
> >
> > This is from the 12.2 documentation on how an outbound Access List
> > functions (I provided the link below)....
> > "If the access list is outbound, after receiving and routing a
packet to
> > the outbound interface, the software checks the access list's
criteria
> > statements for a match. If the packet is permitted, the software
> > transmits the packet. If the packet is denied, the software discards
the
> > packet."
> >
> > Please note that the packet must be received by the router and
routed to
> > the outbound interface. Note this never happens with locally
originated
> > traffic.
> >
> > The simplest way to control Telnet access with an access list is to
use
> > the access-class command in line configuration mode.
> >
> >
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> > fsecur_c/ftrafwl/scfacls.htm
> >
> >
> > Anthony J Sequeira
> > CCIE #15626
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Koen Zeilstra
> > Sent: Friday, June 30, 2006 8:40 AM
> > To: ccielab@groupstudy.com
> > Subject: router bypasses ACL for locally sourced traffic
> >
> > Hi Group,
> >
> > Maybe this has been posted before, however I could not find any
> > reference.
> > Perhaps other wording is used to describe this.
> >
> > What would is the explanation for a router bypassing ACL's applied
in
> > the
> > outgoing direction for locally source traffic?
> >
> > For example:
> >
> >
> > (R1)e0/0------------e0/0(R2)
> >
> >
> > R1
> >
> > int e0/0
> > ip access-group ACL out
> > !
> >
> > ip access-list ext ACL
> > deny tcp any any eq telnet
> > permit ip any any
> > !
> >
> > Telnetting from R1 to R2 works fine even with the ACL denying
outgoing
> > packets destined for port 23.
> >
> > thanks,
> >
> > Koen
> >
> > -----------------------
> > You will feel hungry again in another hour.
> >
> >

• Next message: Daniel Fredrick: "Re: IEW Worbook lab 5 question"
• Previous message: Curt Gregg \(cugregg\): "RE: Frame-Relay Static mapping couple Qs"
• Maybe in reply to: Koen Zeilstra: "router bypasses ACL for locally sourced traffic"
• Next in thread: CCIEin2006: "Re: router bypasses ACL for locally sourced traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:34 ART