Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

applying outbound ACL on ATM interface

I have a Cisco 1841 with the following configuration:

!

interface ATM0/0/0

description Collegamento ADSL BIT PLUS 1,2M/256

bandwidth 256

no ip address

load-interval 30

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

description Mpls ; td-locale ; tgu-locale ; Shasta/ERX1440 ;

mtu 1500

bandwidth 20

ip address 85.42.0.248 255.255.255.0

ip access-group ATM-FILTER out

no snmp trap link-status

pvc 8/35

ubr 240

encapsulation aal5snap

!

!

ip access-list extended ATM-FILTER

deny ip any any

!

!

The imbound ACL doesn't work. I'm still able to ping a remote IP even if I'm exiting through the WAN interface with the deny any ACL applied on it.

In logs below I'm pinging 10.254.4.6 reachable through WAN interface ATM0/0/0.1.

sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

85.0.0.0/24 is subnetted, 1 subnets

C 85.42.0.0 is directly connected, ATM0/0/0.1

10.0.0.0/32 is subnetted, 1 subnets

C 10.39.255.252 is directly connected, Loopback0

S* 0.0.0.0/0 is directly connected, ATM0/0/0.1

ping

Protocol [ip]:

Target IP address: 10.254.4.6

Repeat count [5]: 100

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: loopback 0

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 10.254.4.6, timeout is 2 seconds:

Packet sent with a source address of 10.39.255.252

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Moreover ACL counters don't increase:

01MPIAT1TO10124#sh access-list

Extended IP access list ATM-FILTER

10 deny ip any any

01MPIAT1TO10124#

The same problem persists with different IOS version (12.3(14)T7 and 12.4(7)a).

The same ACL applied in inbound works fine. If I apply it I am disconneted from router because I opened a telnet session from remote site.

Could someone help me?

Thanks

Stefano

1 REPLY
Hall of Fame Super Silver

Re: applying outbound ACL on ATM interface

Stefano

You are encountering a basic behavior of IOS: an outbound access list will NOT filter any traffic that is generated BY the router. The outbound access list will filter any traffic that transits the router but not any traffic generated by the router itself.

As you observe an inbound access list will filter all traffic. But an outbound access list will only filter traffic that passes through the router. This is not particularly well documented, but it has always been true in IOS.

HTH

Rick

413
Views
0
Helpful
1
Replies