cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
970
Views
10
Helpful
4
Replies

New ACL behavior?

Thomas Schmitt
Level 1
Level 1

Hi,

I’m just confused about new behavior by applied, but not existing ACL

I remember from basics, that if you try to use an non-existing ACL, it will be threaded as deny ip any any ACL

but today, on catalyst 9500 switch, running iOS-XE 17. Something I saw something interesting 

this is my test setup, the access-list PING_CORE is applied on int po1 in IN direction on SW2 and I will ping from SW1 lo0 to SW2 lo0

|————————————————————--|                    |—————————————————-———|
| lo0 11.0.0.1 |  SW1 | int po1 |==========|int po1 | SW2 | lo0 11.0.0.2 |
|———————————————————-—-|                    |————————————————————-|

ip access-list extended PING_CORE
 10 deny   icmp host 11.0.0.1 host 11.0.0.2
 20 permit ip any any

SW1#ping 11.0.0.2 source lo0
U.U.U
Success rate is 0 percent (0/5)

In next step I just delete the ACL and try again the same thing:

SW2(config)#do s run int po1 | in access-group
 ip access-group PING_CORE in
SW2#sh ip access-lists PING_CORE
SW2#

SW1#ping 11.0.0.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 11.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

To be honest, I never did this test before and wasn’t able to find anything about it now, do I remember default behavior from non-existent ACL wrong or did something change?

 

1 Accepted Solution

Accepted Solutions

From Cisco Doc.

"""If an access list is referenced by a name, but the access list does not exist, all packets pass. An interface or command with an empty access list applied to it permits all traffic into the network."""

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-access-list-ov.html

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

First thing you did not mention where did you created ACL ? where did you apply (on what switch ?)

In the next step I just delete the ACL and try again the same thing:

When there no match ACL, even though the interface has an access group that does not take active participation, since there is no PING_CORE ACL available.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

""In next step I just delete the ACL and try again the same thing:""

ip access-list extended PING_CORE
 10 deny   icmp host 11.0.0.1 host 11.0.0.2 <<- do you delete this ACE 
 20 permit ip any any <<- do you delete this ACE 

 

do you delete both ACE from ACL PING_CORE ??

From Cisco Doc.

"""If an access list is referenced by a name, but the access list does not exist, all packets pass. An interface or command with an empty access list applied to it permits all traffic into the network."""

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-access-list-ov.html

Thomas Schmitt
Level 1
Level 1

Thank you for replays, both are helpful and answered my question; but I have to mention, that I'm surprised about both of you. I read a lot of your posts and did't got the feeling, like you have any trouble with reading text ... thats why I'm surprised


@MHM Cisco World wrote:

ip access-list extended PING_CORE
 10 deny icmp host 11.0.0.1 host 11.0.0.2 <<- do you delete this ACE
 20 permit ip any any <<- do you delete this ACE

    do you delete both ACE from ACL PING_CORE ??


where you self quoted: "In next step I just delete the ACL" <-- ACL, there wasn't a word about ACE.

Futhermore, there was quote from show command to verify configuration:

SW2(config)#do s run int po1 | in access-group
 ip access-group PING_CORE in
SW2#sh ip access-lists PING_CORE
SW2#

@balaji.bandi wrote:

First thing you did not mention where did you created ACL ? where did you apply (on what switch ?)



-->the access-list PING_CORE is applied on int po1 in IN direction on SW2

This issue I remembered completly wrong. Just to verify similar topics, may be I'm also here wrong:

  • What happens i  case I delete an applied route map/RPL Policy, for example in BGP redistribute command?
redistribute connected route-map DELETED_RM
  •  Route map and RPL policy have an implicit deny/drop at the end for everything doesn't matched before?