ACLs wrt packets originating from router

optimus · January 2007

Hi everyone!

I read that all packets originating from a router are completely immune from ACLs on that originating router. Is this really true? Can someone confirm?

- Optimus

dargueta · January 2007

I would have to say that is false, but it will all depend on how your ACL is applied to your router and the source/destination of the packet.

i.e. If you have an ACL that says "access-list 100 deny icmp any any" and it's applied to your internal ethernet port, if you ping from the router to a connection outside of it's serial interface, it would probably work.

Ethernet0
ip access-group 100 in - this would block icmp as it comes into the router on it's ethernet interface......therefore any pings originating from the router destined to go out the serial interface would not be affected by this access-list.

Ethernet0
ip access-group 100 out - this would block icmp as it leaves out of the ethernet interface from the router. Again, this would not affect traffic sourcing from the router destined out the serial interface.

So again, the router is not 'immune' from an access list if it sources from it.....it really depends on where and how you apply the access-list and test from there.....make sense? someone correct me if i'm wrong.

darkuser · January 2007

i think what you mean is the "ios interface of the router itself"

not packets traversing the router or actual production traffic

optimus · January 2007

Yeah Darkuser,

It says it right in the ExamCram book, newest addition. Packets originating from the IOS, do not get applied to the access lists on that said router. The ACLs only are applied for traffic coming from any other place, except the router in question with the ACLs (hence, production traffic transversing the router like you said, etc.) Surprised nobody else has stepped up to the plate on this. Sims online, questions online, Cisco Press, and Lammel, and for some reason I never noticed it before until I read the ExamCram book, and I was a bit shocked

at my discovery. When you think about, how worried really is someone about traffic that originates from the router? Normally, nobody is. It is intersting though.

One good test is to blcok port 23 on an outbound access list: 'access-list 100 deny tcp any any eq 23' Then use the router to telnet to another router. I have a sim and the access list does not block the telnet. If it is from a station though, you do get blocked. So the traffic that originates from the router is not blocked.

I have a couple 2620s at home. I think it is time I tried it on them.

- Optimus

kenny504 · January 2007

optimus wrote:

Yeah Darkuser,

It says it right in the ExamCram book, newest addition. Packets originating from the IOS, do not get applied to the access lists on that said router. The ACLs only are applied for traffic coming from any other place, except the router in question with the ACLs (hence, production traffic transversing the router like you said, etc.) Surprised nobody else has stepped up to the plate on this. Sims online, questions online, Cisco Press, and Lammel, and for some reason I never noticed it before until I read the ExamCram book, and I was a bit shocked at my discovery. When you think about, how worried really is someone about traffic that originates from the router? Normally, nobody is. It is intersting though.

One good test is to blcok port 23 on an outbound access list: 'access-list 100 deny tcp any any eq 23' Then use the router to telnet to another router. I have a sim and the access list does not block the telnet. If it is from a station though, you do get blocked. So the traffic that originates from the router is not blocked.

I have a couple 2620s at home. I think it is time I tried it on them.

- Optimus

Wow this is so interesting....You are making alot of sense and if that is the case i learnt something new today. I'll be waiting on more replies to bolster this new finding of yours

ACLs wrt packets originating from router

Comments