Yes, the ACL model supports ingress and egress rules that can be different.
> On Jan 11, 2018, at 07:00, Juergen Schoenwaelder > <[email protected]> wrote: > >> On Wed, Jan 10, 2018 at 08:16:13PM -0800, Mahesh Jethanandani wrote: >> >> >>> On Jan 10, 2018, at 12:58 AM, Einar Nilsen-Nygaard (einarnn) >>> <[email protected]> wrote: >>> >>> Mahesh, >>> >>> Two things: >>> >>> First, I see that you have still left in the “icmp-off” action. This was >>> something both Kristian and I recommended removing, and I also discussed >>> this with Sonal at the end of last year and she agreed that it should >>> probably be removed since it seems at this point (absent anyone pointing >>> out other implementations) to be a Cisco IOS-XR-specific feature that >>> should probably be dealt with via a vendor augmentation initially. Can we >>> remove this? >> >> You are right. It was discussed, but more to understand why we needed it. >> Before we remove it, let me clarify why we need it, and if after that the >> consensus is still to remove it, or move it to a Cisco specific >> augmentation, we can do it. >> >> The idea behind having the leaf is for routers to setup a rule to accept >> ICMP messages, allow the router to process the message, but suggest that a >> response may be suppressed. That way one can have rules to receive and >> process ICMP messages like “destination unreachable” or “fragmentation >> required” that are important for routers/hosts, but prevent rogue machines >> from discovering machines in a sweeping ping. >> > > This sort of thing seems to be done in other implementations by having > different rules for incoming and outgoing traffic; does the acl model > support that? > > /js > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
