Solved: Re: ACL question

VONGJOYCE · ‎08-08-2006

Hello,

If I apply "ip access-group 101 out" on a serial wan interface for outbound, do I still have an implicit deny at the end of my extended ACL 101?

Is there any exception on directed connected interface to bypass the access-group filter? For example, if my ACL only have permit statement for certain protocol (say, ping is not in the permit list). And the access-group is applied on the outbound serial wan interface. So if I do an extended Ping in the router sourcing from my LAN interface, I thought my ping will get filtered since the ACL should have the implicit deny. But my ping actually went through, so I wonder whether the implicit deny doesn't exist OR if there is exception if we source from directed connected interface?

Thanks for your help!

sundar.palaniappan · ‎08-08-2006

Hi,

Outbound access list only filters traffic going through the router and it does not apply to traffic originated from within the router. It doesn't matter if you source a different interface from the one to which the ACL is applied. The 'implicit deny' rule does exist as always. You could verify the implicit deny is working by pinging through the router from a host on the LAN.

Hope that helps!

Regards,

Sundar

View solution in original post

sundar.palaniappan · ‎08-08-2006

Hi,

Outbound access list only filters traffic going through the router and it does not apply to traffic originated from within the router. It doesn't matter if you source a different interface from the one to which the ACL is applied. The 'implicit deny' rule does exist as always. You could verify the implicit deny is working by pinging through the router from a host on the LAN.

Hope that helps!

Regards,

Sundar