Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
9
Helpful
4
Replies

ACL and denied traffic

mohammed hashim
Level 1
Level 1

‎02-18-2017 08:02 AM - edited ‎03-08-2019 09:24 AM

Hi,

R1----1gigR2gig3----R3

R2 deny outbound HTTP traffic on its interface gig3, if the traffic received on gig1 and CEF table put it on gig3, for the HTTP traffic, will it be denied on gig1 or gig 3?

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎02-18-2017 11:54 AM

Hello,

not sure I understand what you are asking...

If you apply the access list to Gig3, that is where it will be denied.

0 Helpful

Julio E. Moisa
VIP
VIP

‎02-18-2017 12:29 PM

Hi 

Please correct me if Im wrong.

You have a destination IP and it is known through R3 on R2, and an ACL is configured under the Gig3 interface in order to block http traffic to that destination, the ACL will be independent of CEF or routing table. In few words, you will have the destination entry on your routing table and CEF no matter you are blocking the http traffic under the Gig3 to that destination. 

Other thing is you are using an ACL + filter method on some routing protocol, but I think it is not the case. 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Suresh Vinayagam Subramanian
Cisco Employee
Cisco Employee

‎02-18-2017 12:50 PM

Hi ,

Packet will be denied based on you ACL direction. I assume you applied ACL on R2 gig3 on outbound direction . In this case, Packet will be denied on R2 gig3  .

Outbound—If the access list is outbound, after the software receives and routes a packet to the outbound interface, the software checks the criteria statements of the access list for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

Inbound —If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the criteria statements of the access list for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.

HTH

Regards,

VS.Suresh.

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎02-19-2017 06:57 AM 

Hi,R1----1gigR2gig3----R3
R2 deny outbound HTTP traffic on its interface gig3, if the traffic received on gig1 and CEF table put it on gig3, for the HTTP traffic, will it be denied on gig1 or gig 3?



Hi ,

As Explained by others , Just giving a gist of definition with flow for your reference.

As per Cisco Documentation below is the definition for ACL direction.

Mainly What happens is , Inbound ACL software checks first and based on decision packets gets permitted or discarded.

With Outbound ACL Software receives and route to Outgoing Interface , then software checks for criteria and based on decision packets gets permitted or discarded.

 Just with Flow for your reference

Inbound means the traffic coming towards the port from outside

Outbound means the traffic going outside, it must have entered through some other port.

 

Internet<---[ (Gi1) Router (Gi2) ]<----Host 

If ACL is placed at Gi2

Inboud: Traffic coming from Host will be filtered

Outbout: Traffic from Internet going towards host will be filtered.

Hope it Helps.

-GI

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card