Trick question for you:
If the following access list is applied to an interface, does it deny all traffic:
Router#conf t
Router(config)#access-list 100 deny ip any any
Router(config)#interface fastethernet 0/0
Router(config-if)#ip access-group 100 out
Is all traffic now denied?
Well, lets test:
Network Diagram:
Ping and trace from a device behind the router. Here R2 is pinging and tracing to R3 via R1:
Before ACL is applied:
After ACL is applied:
Ping and trace from a device behind the router. Here R2 is pinging and tracing R3 via R1:
So both fail as expected.
But what does a ping from R1 to R3 do?
As you can see it succeeds. Why?
Because an access list denies traffic through a router, not traffic originated from that router.
Thus, traffic from the router is permitted.
Now you know.
No comments:
Post a Comment