I'm having problem with an ACL that I think should work.
Got two 1721 connected with serial interfaces with each other.
Each 1721 has a loopback interface (for ping purpose/simulate PC on each side)
the mission is to block traffic each routers lan (loopback interfaces)
This is the ACL on router1:
Standard IP access list 3
10 deny 192.168.101.1
20 permit any
That ACL is bound on my serial0
ip address 192.168.1.1 255.255.255.0
ip access-group 3 out
im doing a source ping from my router1 loopback0 towards the router2 loopback0 This works... but my ACL should prevent all traffic
What am i doing wrong?
If i use the same ACL on router2's S0 then it works.. but router1 s0 ACL out command should prevent it anyhow?
Target IP address: 192.168.101.1
Repeat count :
Datagram size :
Timeout in seconds :
Extended commands [n]: y
Source address or interface: 192.168.100.1
Type of service :
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
You're not doing anything wrong. It's just that locally-generated traffic from a router is not evaluated by any ACLs on the same; only transit traffic is evaluated. There are tricks you can play with setting a policy up to bounce locally-generated traffic against a loopback interface, but that's Stupid Router Trick stuff...