Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
10
Helpful
4
Replies

New ACL behavior?

Go to solution
Thomas Schmitt
Level 1
Level 1

‎11-18-2022 03:13 PM

Hi,

I’m just confused about new behavior by applied, but not existing ACL

I remember from basics, that if you try to use an non-existing ACL, it will be threaded as deny ip any any ACL

but today, on catalyst 9500 switch, running iOS-XE 17. Something I saw something interesting 

this is my test setup, the access-list PING_CORE is applied on int po1 in IN direction on SW2 and I will ping from SW1 lo0 to SW2 lo0

|————————————————————--|                    |—————————————————-———|
| lo0 11.0.0.1 |  SW1 | int po1 |==========|int po1 | SW2 | lo0 11.0.0.2 |
|———————————————————-—-|                    |————————————————————-|

ip access-list extended PING_CORE
 10 deny   icmp host 11.0.0.1 host 11.0.0.2
 20 permit ip any any

SW1#ping 11.0.0.2 source lo0
U.U.U
Success rate is 0 percent (0/5)

In next step I just delete the ACL and try again the same thing:

SW2(config)#do s run int po1 | in access-group
 ip access-group PING_CORE in
SW2#sh ip access-lists PING_CORE
SW2#

SW1#ping 11.0.0.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 11.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

To be honest, I never did this test before and wasn’t able to find anything about it now, do I remember default behavior from non-existent ACL wrong or did something change?

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎11-19-2022 05:14 AM

From Cisco Doc.

"""If an access list is referenced by a name, but the access list does not exist, all packets pass. An interface or command with an empty access list applied to it permits all traffic into the network."""

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-access-list-ov.html

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-19-2022 02:28 AM

First thing you did not mention where did you created ACL ? where did you apply (on what switch ?)

In the next step I just delete the ACL and try again the same thing:

When there no match ACL, even though the interface has an access group that does not take active participation, since there is no PING_CORE ACL available.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-19-2022 02:36 AM

""In next step I just delete the ACL and try again the same thing:""

ip access-list extended PING_CORE
 10 deny   icmp host 11.0.0.1 host 11.0.0.2 <<- do you delete this ACE 
 20 permit ip any any <<- do you delete this ACE 

 

do you delete both ACE from ACL PING_CORE ??

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-19-2022 05:14 AM

From Cisco Doc.

"""If an access list is referenced by a name, but the access list does not exist, all packets pass. An interface or command with an empty access list applied to it permits all traffic into the network."""

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-access-list-ov.html

0 Helpful

Go to solution
Thomas Schmitt
Level 1
Level 1

‎11-21-2022 06:33 AM

Thank you for replays, both are helpful and answered my question; but I have to mention, that I'm surprised about both of you. I read a lot of your posts and did't got the feeling, like you have any trouble with reading text ... thats why I'm surprised

@MHM Cisco World wrote:

ip access-list extended PING_CORE
 10 deny icmp host 11.0.0.1 host 11.0.0.2 <<- do you delete this ACE
 20 permit ip any any <<- do you delete this ACE

    do you delete both ACE from ACL PING_CORE ??

where you self quoted: "In next step I just delete the ACL" <-- ACL, there wasn't a word about ACE.

Futhermore, there was quote from show command to verify configuration:

SW2(config)#do s run int po1 | in access-group
 ip access-group PING_CORE in
SW2#sh ip access-lists PING_CORE
SW2#
@balaji.bandi wrote:

First thing you did not mention where did you created ACL ? where did you apply (on what switch ?)


-->the access-list PING_CORE is applied on int po1 in IN direction on SW2

This issue I remembered completly wrong. Just to verify similar topics, may be I'm also here wrong:

  • What happens i  case I delete an applied route map/RPL Policy, for example in BGP redistribute command?
redistribute connected route-map DELETED_RM
  •  Route map and RPL policy have an implicit deny/drop at the end for everything doesn't matched before?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents