topic Re: New ACL behavior? in Network Access Control

New ACL behavior?

Thomas Schmitt — Fri, 18 Nov 2022 23:13:08 GMT

Hi,

I’m just confused about new behavior by applied, but not existing ACL

I remember from basics, that if you try to use an non-existing ACL, it will be threaded as deny ip any any ACL

but today, on catalyst 9500 switch, running iOS-XE 17. Something I saw something interesting

this is my test setup, the access-list PING_CORE is applied on int po1 in IN direction on SW2 and I will ping from SW1 lo0 to SW2 lo0

|————————————————————--| |—————————————————-———|
| lo0 11.0.0.1 | SW1 | int po1 |==========|int po1 | SW2 | lo0 11.0.0.2 |
|———————————————————-—-| |————————————————————-|

ip access-list extended PING_CORE
10 deny icmp host 11.0.0.1 host 11.0.0.2
20 permit ip any any

SW1#ping 11.0.0.2 source lo0
U.U.U
Success rate is 0 percent (0/5)

In next step I just delete the ACL and try again the same thing:

SW2(config)#do s run int po1 | in access-group
ip access-group PING_CORE in
SW2#sh ip access-lists PING_CORE
SW2#

SW1#ping 11.0.0.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 11.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

To be honest, I never did this test before and wasn’t able to find anything about it now, do I remember default behavior from non-existent ACL wrong or did something change?

Re: New ACL behavior?

balaji.bandi — Sat, 19 Nov 2022 10:28:53 GMT

First thing you did not mention where did you created ACL ? where did you apply (on what switch ?)

In the next step I just delete the ACL and try again the same thing:

When there no match ACL, even though the interface has an access group that does not take active participation, since there is no PING_CORE ACL available.

Re: New ACL behavior?

MHM Cisco World — Sat, 19 Nov 2022 10:36:44 GMT

""In next step I just delete the ACL and try again the same thing:""

ip access-list extended PING_CORE
10 deny icmp host 11.0.0.1 host 11.0.0.2 <<- do you delete this ACE
20 permit ip any any <<- do you delete this ACE

do you delete both ACE from ACL PING_CORE ??

Re: New ACL behavior?

MHM Cisco World — Sat, 19 Nov 2022 13:14:58 GMT

From Cisco Doc.

"""If an access list is referenced by a name, but the access list does not exist, all packets pass. An interface or command with an empty access list applied to it permits all traffic into the network."""

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-access-list-ov.html

Re: New ACL behavior?

Thomas Schmitt — Mon, 21 Nov 2022 14:33:29 GMT

Thank you for replays, both are helpful and answered my question; but I have to mention, that I'm surprised about both of you. I read a lot of your posts and did't got the feeling, like you have any trouble with reading text ... thats why I'm surprised

@MHM Cisco World wrote:
ip access-list extended PING_CORE
10 deny icmp host 11.0.0.1 host 11.0.0.2 <<- do you delete this ACE
20 permit ip any any <<- do you delete this ACE

do you delete both ACE from ACL PING_CORE ??

where you self quoted: "In next step I just delete the ACL" <-- ACL, there wasn't a word about ACE.

Futhermore, there was quote from show command to verify configuration:

SW2(config)#do s run int po1 | in access-group
 ip access-group PING_CORE in
SW2#sh ip access-lists PING_CORE
SW2#

@balaji.bandi wrote:
First thing you did not mention where did you created ACL ? where did you apply (on what switch ?)

-->the access-list PING_CORE is applied on int po1 in IN direction on SW2

This issue I remembered completly wrong. Just to verify similar topics, may be I'm also here wrong:

What happens i case I delete an applied route map/RPL Policy, for example in BGP redistribute command?

redistribute connected route-map DELETED_RM

Route map and RPL policy have an implicit deny/drop at the end for everything doesn't matched before?