08-08-2006 11:36 AM - edited 03-03-2019 01:35 PM
Hello,
If I apply "ip access-group 101 out" on a serial wan interface for outbound, do I still have an implicit deny at the end of my extended ACL 101?
Is there any exception on directed connected interface to bypass the access-group filter? For example, if my ACL only have permit statement for certain protocol (say, ping is not in the permit list). And the access-group is applied on the outbound serial wan interface. So if I do an extended Ping in the router sourcing from my LAN interface, I thought my ping will get filtered since the ACL should have the implicit deny. But my ping actually went through, so I wonder whether the implicit deny doesn't exist OR if there is exception if we source from directed connected interface?
Thanks for your help!
Solved! Go to Solution.
08-08-2006 01:12 PM
Hi,
Outbound access list only filters traffic going through the router and it does not apply to traffic originated from within the router. It doesn't matter if you source a different interface from the one to which the ACL is applied. The 'implicit deny' rule does exist as always. You could verify the implicit deny is working by pinging through the router from a host on the LAN.
Hope that helps!
Regards,
Sundar
08-08-2006 01:12 PM
Hi,
Outbound access list only filters traffic going through the router and it does not apply to traffic originated from within the router. It doesn't matter if you source a different interface from the one to which the ACL is applied. The 'implicit deny' rule does exist as always. You could verify the implicit deny is working by pinging through the router from a host on the LAN.
Hope that helps!
Regards,
Sundar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide