Locally generated packets are not subject to ACLs applied outbound on an interface. It has to do with the order of operations of the classifier on the interface. You'd see the same result if you said "deny ip any any" in your list.
Local policy routing won't work unless it's a much older IOS version, as local control plane traffic is not subject to local policy routing anymore.
The workaround is simply that you have to apply the ACL in on the other side.
HTH,
Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com
Internetwork Expert, Inc.
http://www.INE.com
On Jul 4, 2011, at 10:52 PM, "Aaron Riemer" <ariemer_at_amnet.net.au> wrote:
> Hey guys,
>
>
>
> I am playing with EIGRP and wanted to mess with some ACLs to verify my
> understanding of the query and reply process.
>
>
>
> I have an ACL below on one router where I am hoping to allow eigrp multicast
> packets but deny any unicast.
>
>
>
> ip access-list extended block-eigrp
>
> permit eigrp any host 224.0.0.10
>
> deny eigrp any any
>
>
>
> interface serial0/0
>
> ip access-group block-eigrp out
>
>
>
>
>
> This doesn't seem to block router EIGRP unicast packets at all. I have got
> around this by blocking at the other end in the 'in' direction but I am just
> curious as to why this isn't working.
>
>
>
> My thoughts are it has something to do with the fact that the traffic is
> originated from the router itself and as such is not subject to the rules of
> the ACL. No matches on the ACL seems to confirm this.
>
>
>
> Local policy routing?
>
>
>
>
>
> Thanks,
>
>
>
> -Aaron.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Jul 04 2011 - 23:41:19 ART
This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:05 ART