.jpg "Opportunities, Appliacation, Openings"){kind=small}
.jpg "Hand Job, Blow Job, Job Search, Monster Job"){kind=small}
.jpg "pusat resume, daftar kerja, cari kerja"){kind=small}
.jpg "Project Manager, SOftware Engineer, SAP Consultant"){kind=small}
router bypasses ACL for locally sourced traffic
See this thread on reflexive ACLs:
http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
HTH,
Brian McGahan, CCIE #8593 bmcgahan@internetworkexpert.com
Internetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 x 705 Outside US: 775-826-4344 x 705 24/7 Support: http://forum.internetworkexpert.com Live Chat: http://www.internetworkexpert.com/chat/
> —–Original Message—– > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > CCIEin2006 > Sent: Friday, June 30, 2006 8:22 AM > To: anthony.sequeira@thomson.com > Cc: koen@koenzeilstra.com; ccielab@groupstudy.com > Subject: Re: router bypasses ACL for locally sourced traffic > > Isn’t there also a technique to block locally sourced traffic by using a > local policy map? Maybe someone can share? > > On 6/30/06, anthony.sequeira@thomson.com > wrote: > > > > This is from the 12.2 documentation on how an outbound Access List > > functions (I provided the link below)…. > > “If the access list is outbound, after receiving and routing a packet to > > the outbound interface, the software checks the access list’s criteria > > statements for a match. If the packet is permitted, the software > > transmits the packet. If the packet is denied, the software discards the > > packet.” > > > > Please note that the packet must be received by the router and routed to > > the outbound interface. Note this never happens with locally originated > > traffic. > > > > The simplest way to control Telnet access with an access list is to use > > the access-class command in line configuration mode. > > > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ > > fsecur_c/ftrafwl/scfacls.htm > > > > > > Anthony J Sequeira > > CCIE #15626 > > —–Original Message—– > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > > Koen Zeilstra > > Sent: Friday, June 30, 2006 8:40 AM > > To: ccielab@groupstudy.com > > Subject: router bypasses ACL for locally sourced traffic > > > > Hi Group, > > > > Maybe this has been posted before, however I could not find any > > reference. > > Perhaps other wording is used to describe this. > > > > What would is the explanation for a router bypassing ACL’s applied in > > the > > outgoing direction for locally source traffic? > > > > For example: > > > > > > (R1)e0/0————e0/0(R2) > > > > > > R1 > > > > int e0/0 > > ip access-group ACL out > > ! > > > > ip access-list ext ACL > > deny tcp any any eq telnet > > permit ip any any > > ! > > > > Telnetting from R1 to R2 works fine even with the ACL denying outgoing > > packets destined for port 23. > > > > thanks, > > > > Koen > > > > ———————– > > You will feel hungry again in another hour. > > > >
