Monday, November 22, 2010

Does ACL "deny any" deny all?

First of all i'd like to thank David Bombal from (configureterminal.com) on that note and i bet many people don't know it, so

Trick question for you:

If the following access list is applied to an interface, does it deny all traffic:

Router#conf t
Router(config)#access-list 100 deny ip any any
Router(config)#interface fastethernet 0/0
Router(config-if)#ip access-group 100 out

Is all traffic now denied?

Well, lets test:

Network Diagram:






Ping and trace from a device behind the router. Here R2 is pinging  and tracing to R3 via R1:

Before ACL is applied:




After ACL is applied:









Ping and trace from a device behind the router. Here R2 is pinging and tracing R3 via R1:

















 So both fail as expected.

But what does a ping from R1 to R3 do?















 As you can see it succeeds. Why?


Because an access list denies traffic through a router, not traffic originated from that router.


Thus, traffic from the router is permitted.

Now you know.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)