Operation by ACL “Packet generated by the router itself”

Cisco qualified CCNA and CCNP frequently have access list (ACL) issues. Or y, it is always asked. Among them, there is content that the examinee often mistakes, and there is a content that “can not be solved undying if you do not know it”. The content is “Packets generated by the router itself are not subject to the access list”.

Let’s test if the packet is actually uncontrolled.

Test configuration

Configuration/Settings

Set the following access list to Cisco 891fj and Ping another router with ip address 192.168.55.1.
* By the way, it is necessary to set protocol settings and destinations, so use extended ACLs.

test ping acl routerThe access list 100 specifies a protocol ICMP, and the source is Any (all), and the destination is set to 192.168.55.1.
Then set the access list 100 to the out direction (egress) of GigabitEhternet8 on the orange router. This should control ICMP packets from the orange router to 192.168.55.1.

Router#show run int gi8
interface GigabitEthernet8
ip address 192.168.55.80 255.255.255.0
ip access-group 100 out
duplex auto
speed auto
Router#show access-lists | sec 100
Extended IP access list 100
   10 deny icmp any host 192.168.55.1

Since “implicit Deni ALL” is set to the last line, all resulting packets are dropped.

Results

Pinged 192.168.55.1.

Router#ping 192.168.55.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

ICMP packets are being replyed to and are not controlled by the ACL you set.
As a result, locally configured ACLs do not affect packets that the router itself causes.

Besides Ping packets

The ACL determines whether to forward or drop packets in ingress and egreee in the configured interface. However, it does not affect packets that occur locally on routers with ACLs configured.

This is not limited to Ping, and packets that are sent through the routing protocol are not affected.
For example, it can be an OSPF hello packet or a BGP OPEN packet.

Well out on CCNA/CCNP

As I mentioned at the beginning, I will take the exam very much!!!!

Ccna has a very similar problem to what we tested this time.
While checking the routing table by routing protocol, CCNP said, “It was actually an ACL specification. Such a problem comes out.
It actually came out when I received CCNP ENCOR.

Remember this is very often come across at work!!