[c-nsp] Access-list application

Rodney Dunn rodunn at cisco.com
Tue Sep 21 14:02:39 EDT 2004


On Tue, Sep 21, 2004 at 11:15:39PM +0530, Amol Sapkal wrote:
> Quick question: Does an interface access-list apply to traffic
> generated from a router? Say a ping, if icmp is blocked, or a telnet
> to a site on port 80, if port 80 is blocked.

On egress from the router no.

Why?  Because it's assumed the the router sending a packet
out is always a valid one.

We considered an option for them to match on the traffic
but since the below workaround does the job it never
went further.

You can force it to do by defining a route-map, match
the traffic, configure "ip local policy <route-map".

Rodney


> 
> Detailed: If no, why?
> 
> 
> 
> -- 
> Warm Regds,
> 
> Amol Sapkal
> 
> --------------------------------------------------------------------
> An eye for an eye makes the whole world blind 
> - Mahatma Gandhi
> --------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list