When “deny any” doesn’t deny all!admin | Monday, December 27th, 2010 | 9 Comments »
I recently came across this discussion and thought I’d shed some light. A user wants to deny all traffic outbound a specific interface. Let’s say it is ethernetO. The best way to test this is to create an ACL and apply it to your interface outbound, and ping out from an internal device. You won’t be able to.
access-list 1 deny any
ip access-group 1 OUT
Simple enough, but ping tests from the router itself reveals that you can still indeed ping! Why?
How about trying to ping from a loopback interface?
ping 188.8.131.52 source loopback 0
The result is that you can still ping out!
The reason is that ACL’s are applied to packets as they traverse an interface. Pings from the router itself don’t fall into that category. I believe that management from the router including pings are provided by the control plane versus the data plane where ACL’s are applied to.
So there you go. If you have any further insights on this please let me know. And if I’m wrong, please let me know as well! Make sure you test your ACL’s from either INSIDE or OUTSIDE of the router, not using the router itself to test your ACL’s.