Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
0
Helpful
3
Replies

Newbie: Outbound ACL is not enforced

it
Level 1
Level 1

‎05-15-2006 05:02 PM - edited ‎03-03-2019 12:42 PM

Hi, I have a Cisco 828 GSHDSL Router. This is not in production. At the moment i am trying to implement an Outbound ACL to interface ethernet 0. I have successfully applied an inbound access-list which i can see works correctly (also confirmed via syslog server). I want to implement an outbound ACL on the interface. here is the relevant config.

interface Ethernet0

description Connect to Internal LAN

ip address 1.1.1.1 255.255.255.0

ip access-group 101 out

!

access-list 101 deny ip any any log

However i can still reach anything and everything. ie ping telnet etc etc. Nothing shows up in the syslog server.

Please help...

Thank you

Labels:
0 Helpful
3 Replies 3

mahmoodmkl
Level 7
Level 7

‎05-15-2006 09:17 PM

HI

U have applied in the wrong direction.try applying it as an inbound list.as u r traffic is inbound to u r ethernet interface.

ip access-group 101 in

Thanks

Mahmood

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mahmoodmkl

‎05-16-2006 08:06 AM

Mahmood

The original post says that he has implemented an inbound access list and it worked properly. He is now trying to do an outbound access list which is not doing what he expected. Telling him to apply it inbound is not a solution to his problem.

What he is experiencing is a fundamental (but frequently not so well understood) behavior of access lists: an outbound access list on an interface will not filter packets that originated in the router itself. The outbound access list will filter packets that come from outside the router and are forwarded out the interface (transit traffic through the router). But the outbound access list will not filter things (pings, telnets, etc) that are done directly on the router.

So if you want to test the outbound access list the original poster will need to connect a PC (or some kind of end station) to another interface on the router and generate traffic that the router will forward out this interface. Then he will see the access list blocking packets.

HTH

Rick

HTH

Rick
0 Helpful

mahmoodmkl
Level 7
Level 7
In response to Richard Burts

‎05-16-2006 08:54 PM

HI Rick

Thanks for u r clarification.I agree with u.I think i have not properly understood the question.

Thanks

Mahmood

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card