Standard ACL question/problem

Answered Question
Jun 9th, 2008

Hi!

I'm having problem with an ACL that I think should work.

Got two 1721 connected with serial interfaces with each other.

Each 1721 has a loopback interface (for ping purpose/simulate PC on each side)

the mission is to block traffic each routers lan (loopback interfaces)

Router1:

Loopback0 192.168.101.1

Serial0

192.168.1.1

Router2

192.168.100.1

Serial0

192.168.1.2

This is the ACL on router1:

Standard IP access list 3

10 deny 192.168.101.1

20 permit any

That ACL is bound on my serial0

interface Serial0

ip address 192.168.1.1 255.255.255.0

ip access-group 3 out

im doing a source ping from my router1 loopback0 towards the router2 loopback0 This works... but my ACL should prevent all traffic

What am i doing wrong?

If i use the same ACL on router2's S0 then it works.. but router1 s0 ACL out command should prevent it anyhow?

router1#ping

Protocol [ip]:

Target IP address: 192.168.101.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.100.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.100.1

!!!!!

I have this problem too.
0 votes
Correct Answer by svermill about 8 years 6 months ago

You're not doing anything wrong. It's just that locally-generated traffic from a router is not evaluated by any ACLs on the same; only transit traffic is evaluated. There are tricks you can play with setting a policy up to bounce locally-generated traffic against a loopback interface, but that's Stupid Router Trick stuff...

http://blog.internetworkexpert.com/2008/02/13/tricks-with-local-policy-routing/

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
svermill Mon, 06/09/2008 - 06:22

You're not doing anything wrong. It's just that locally-generated traffic from a router is not evaluated by any ACLs on the same; only transit traffic is evaluated. There are tricks you can play with setting a policy up to bounce locally-generated traffic against a loopback interface, but that's Stupid Router Trick stuff...

http://blog.internetworkexpert.com/2008/02/13/tricks-with-local-policy-routing/

Actions

This Discussion