Академический Документы
Профессиональный Документы
Культура Документы
Here is my topology:
Scenario1:
Applied ACL 100 on R1's Fa0/0 as inbound, then:
PC2#ping 40.0.0.2
2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
1
Understanding ACL source:?
*Mar 2 00:03:46.518: IP: s=10.0.0.2 (local), d=40.0.0.2 (FastEthernet0/0), len 100, sending
*Mar 2 00:03:46.522: ICMP type=8, code=0
*Mar 2 00:03:46.554: IP: s=10.0.0.254 (FastEthernet0/0), d=10.0.0.2, len 56, rcvd 1
*Mar 2 00:03:46.558: ICMP type=3, code=13
Scenario3:
Applied ACL 100 on R2's Fa0/1 as inbound, then:
PC2#ping 40.0.0.2
2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
2
Understanding ACL source:?
Here i wanna understand how the source IP's are changing according to the corresponding ACL.
Regards,
Chandu
Pantelis
Re: Understanding ACL source:? Jul 22, 2014 4:34 AM
Hi Racharla Chandra Kanth
According to Cisco
Inbound If the access list is inbound, when the router receives a packet, the Cisco IOS software
checks the criteria statements of the access list for a match. If the packet is permitted, the software
continues to process the packet. If the packet is denied, the software discards the packet.
OutboundIf the access list is outbound, after the software receives and routes a packet to the
outbound interface, the software checks the criteria statements of the access list for a match. If the
packet is permitted, the software transmits the packet. If the packet is denied, the software discards
the packet.
@Sarah The log-input option enables logging of the ingress interface and source MAC address in addition to
the packet's source and destination IP addresses and ports.
Thanks
Pantelis
2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
3
Understanding ACL source:?
Regards,
Chandu
Navneet.Gaur
Re: Understanding ACL source:? Jul 22, 2014 5:44 AM
Hi Racharla Chandra Kanth.
1. Remember traceroute ?
3. Because the return packets are sourced from that interface and the ACL logic is applied before they would
have been transmitted "out of / from" the next interface.
Take care,
Navneet.
Update:
Try the same method from PC-4 for further clarity
2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
4
Understanding ACL source:?
Additional Clarification:
The next hop interface
From the point of view of PC-2
On the router where ACL is applied
Is sourced as the one that is replying
By default when traffic is generated by a router the router uses the ip of the outgoing interface..
i posted the snipped image from cisco documentation which tells that fact
Capture.PNG 7.8 K
Scenario1:
Applied ACL 100 on R1's Fa0/0 as inbound, then:
PC2#ping 40.0.0.2
2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
5
Understanding ACL source:?
>>Here the next hop is: 192.168.1.2 but the packet got dropped at 192.168.1.1 before it could reach
192.168.1.2. So the reply was from 10.0.0.254.
Scenario3:
Applied ACL 100 on R2's Fa0/1 as inbound, then:
PC2#ping 40.0.0.2
>> Here the packet has arrived at the second hop: 192.168.1.2 and it processed it and denied it, the
same was sent to PC2.
2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
6
Understanding ACL source:?
>> Here again the next hop is the final destination i.e. 40.0.0.2 but before the packet could reach it,
packet got dropped at 40.0.0.254. So the reply was from 192.168.1.2.
Regards,
Chandu
Navneet.Gaur
Re: Understanding ACL source:? Jul 22, 2014 11:52 PM
Hi Racharla Chandra Kanth.
Take care,
Navneet.
2015 Cisco and/or its affiliates. All Rights Reserved. Generated on 2015-05-24-07:00
This document is Cisco Public Information.
7