I just did a standard acl packet tracer with the fallowing
R1is the source and R2 is the destination.
R2 has 3 interfaces s0,s1,and fa0.
We want to deny traffic to the fa0 lan host.
R2 s0 goes to r1 and s1 goes to r3
R3 has a path to R1 so we are redundent. (triangle)
I'm wondering why when you set up a acl deny outbound on the fa0 interface of R2 you can still get to the interface but not the other host.
I mean yeah I don't want to get to the host but wouldn't you not want to get to the interface either? Wouldn't that be part of the "lan" that you are denying?
I'm not entirely clear on your question. However, there is a strange behavior on real gear that you might not expect. Traffic sourced from the router itself is not checked against egress acl's. I just wanted to mention that.