Why Traffic-Filter ACL Does Not Block Ping to 8.8.8.8 on an AR Gateway

Problem Description

The network diagram shows an AR device acting as a gateway. The key configuration on the AR includes an ACL (number 3301) that denies ICMP traffic destined for 8.8.8.8 and permits all other IP traffic, applied to the outbound direction of interface GigabitEthernet0/0/1 via traffic-filter outbound acl 3301:

#
acl number 3301
rule 5 deny icmp destination 8.8.8.8 0
rule 10 permit ip
#
interface GigabitEthernet0/0/1
traffic-filter outbound acl 3301
#

Observed Phenomenon

Even though the ACL should block ping packets to 8.8.8.8, a ping issued from the AR device itself still succeeds, indicating that the traffic‑filter rule is not taking effect for locally generated traffic.

Investigation Process

When pinging 8.8.8.8 from a PC, the request fails as expected because the ACL blocks it. However, pinging from the AR device works because the device’s own packets are generated by the protocol stack and sent directly to the egress interface, never entering the forwarding layer where traffic‑filter policies are applied. Consequently, the ACL cannot filter these locally originated packets.

Recommendation and Summary

The device software is divided into a control plane and a forwarding plane. The forwarding plane handles transit traffic that passes through both physical ingress and egress interfaces. Control‑plane traffic, such as packets generated by the device itself, does not traverse the forwarding plane and therefore is not subject to traffic‑filter ACLs. To block such traffic, alternative mechanisms (e.g., control‑plane ACLs or firewall policies) must be used.