From: CCIEin2006 (ciscocciein2006@gmail.com)
Date: Fri Jun 30 2006 - 14:20:34 ART
Good question. I was also wondering that if the filtering decision is made
after the routing decision then what difference does it make if the packet
is locally generated?
On 6/30/06, Koen Zeilstra <koen@koenzeilstra.com> wrote:
>
> This is clear. But why is this behaviour?
>
> Is it because there is no routing descision made since there is no
> incoming interface?
>
> -----------------------
> Try to get all of your posthumous medals in advance.
>
> On Fri, 30 Jun 2006, Scott Morris wrote:
>
> | It has to do with the order of operations....
> |
> | Check out:
> |
> |
> http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chap
> | ter09186a00804fde4d.html
> |
> | <snip>
> | Applying Access Lists to Interfaces
> |
> | For some protocols, you can apply up to two access lists to an
> interface:
> | one inbound access list and one outbound access list. With other
> protocols,
> | you apply only one access list which checks both inbound and outbound
> | packets.
> |
> | If the access list is inbound, when the router receives a packet, the
> Cisco
> | IOS software checks the access list's criteria statements for a match.
> If
> | the packet is permitted, the software continues to process the packet.
> If
> | the packet is denied, the software discards the packet.
> |
> | If the access list is outbound, after receiving and routing a packet to
> the
> | outbound interface, the software checks the access list's criteria
> | statements for a match. If the packet is permitted, the software
> transmits
> | the packet. If the packet is denied, the software discards the packet.
> |
> | Note Access lists that are applied to interfaces do not filter traffic
> that
> | originates from that router.
> | </snip>
> |
> | HTH,
> |
> |
> | Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE
> | #153, CISSP, et al.
> | CCSI/JNCI
> | IPExpert CCIE Program Manager
> | IPExpert Sr. Technical Instructor
> | smorris@ipexpert.com
> | http://www.ipexpert.com
> |
> |
> |
> | -----Original Message-----
> | From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On Behalf Of
> Koen
> | Zeilstra
> | Sent: Friday, June 30, 2006 8:40 AM
> | To: ccielab@groupstudy.com
> | Subject: router bypasses ACL for locally sourced traffic
> |
> | Hi Group,
> |
> | Maybe this has been posted before, however I could not find any
> reference.
> | Perhaps other wording is used to describe this.
> |
> | What would is the explanation for a router bypassing ACL's applied in
> the
> | outgoing direction for locally source traffic?
> |
> | For example:
> |
> |
> | (R1)e0/0------------e0/0(R2)
> |
> |
> | R1
> |
> | int e0/0
> | ip access-group ACL out
> | !
> |
> | ip access-list ext ACL
> | deny tcp any any eq telnet
> | permit ip any any
> | !
> |
> | Telnetting from R1 to R2 works fine even with the ACL denying outgoing
> | packets destined for port 23.
> |
> | thanks,
> |
> | Koen
> |
> | -----------------------
> | You will feel hungry again in another hour.
> |
> | _______________________________________________________________________
> | Subscription information may be found at:
> | http://www.groupstudy.com/list/CCIELab.html
> |
> |
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:34 ART