technically, the access-list applies only to packets that have passed through the routing process. this all gets down to understanding the difference between the routing / forwarding process versus the router architecture process and how packets get from here to there. let's hope I word this correctly, because it is a bit complex, and subject to misunderstanding. 1) case for inbound - a router receives a packet on an interface, checks the headers against any inbound access-list on that interface, accepts or denies the packet based on that list, then places the packet into the forwarding process 2) case for outbound - forwarding process determines the outbound interface, checks for the existence of an access-list outbound on that interface, processes the packet headers against that list, and if it passes, places the packet into the interface buffer for forwarding. 3) locally originated packet ( router doing something, for example ping, or routing protocol update ) router creates the packet, places it directly into the interface buffer for processing. local ping has a function which allows one to create a packet, and send that packet through the forwarding processes, which in turn forces that packet to follow one of the rules above. confused? hope this helped a little. Chuck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Sent: Monday, August 27, 2001 7:52 AM To: [EMAIL PROTECTED] Subject: Re: Does access list work for router originated packets [7:17389] On Mon, 27 Aug 2001, John Hardman wrote: > Hi > > I can't believe I am challenging Priscilla! > > I just tried what you are talking about, i.e. that the ACL on the router > does not effect the traffic generated by the router it's self. > > I created an extended ACL to block all ICMP traffic and applied it to E0 as > both IN and OUT. Before appling the ACL I can ping just fine to any host on > the network and any host on the network can ping the router. After Appling > the ACL I am not able to ping from the router, or to the router. Right, the packets leaving the router are not blocked, they are sourced from the router and bypass the ACL. The reply packets are blocked however, they are not sourced from the router. ----------------------------------------------- I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny, CCIE #8036 Netjam, LLC [EMAIL PROTECTED] http://www.netjam.net VISA/MC/AMEX/COD phone: 318-212-0245 30 day warranty fax: 318-212-0246 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17406&t=17406 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
