11-18-2022 03:13 PM
Hi,
I’m just confused about new behavior by applied, but not existing ACL
I remember from basics, that if you try to use an non-existing ACL, it will be threaded as deny ip any any ACL
but today, on catalyst 9500 switch, running iOS-XE 17. Something I saw something interesting
this is my test setup, the access-list PING_CORE is applied on int po1 in IN direction on SW2 and I will ping from SW1 lo0 to SW2 lo0
|————————————————————--| |—————————————————-———|
| lo0 11.0.0.1 | SW1 | int po1 |==========|int po1 | SW2 | lo0 11.0.0.2 |
|———————————————————-—-| |————————————————————-|
ip access-list extended PING_CORE
10 deny icmp host 11.0.0.1 host 11.0.0.2
20 permit ip any any
SW1#ping 11.0.0.2 source lo0
U.U.U
Success rate is 0 percent (0/5)
In next step I just delete the ACL and try again the same thing:
SW2(config)#do s run int po1 | in access-group
ip access-group PING_CORE in
SW2#sh ip access-lists PING_CORE
SW2#
SW1#ping 11.0.0.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 11.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
To be honest, I never did this test before and wasn’t able to find anything about it now, do I remember default behavior from non-existent ACL wrong or did something change?
Solved! Go to Solution.
11-19-2022 05:14 AM
From Cisco Doc.
"""If an access list is referenced by a name, but the access list does not exist, all packets pass. An interface or command with an empty access list applied to it permits all traffic into the network."""
11-19-2022 02:28 AM
First thing you did not mention where did you created ACL ? where did you apply (on what switch ?)
In the next step I just delete the ACL and try again the same thing:
When there no match ACL, even though the interface has an access group that does not take active participation, since there is no PING_CORE ACL available.
11-19-2022 02:36 AM
""In next step I just delete the ACL and try again the same thing:""
ip access-list extended PING_CORE
10 deny icmp host 11.0.0.1 host 11.0.0.2 <<- do you delete this ACE
20 permit ip any any <<- do you delete this ACE
do you delete both ACE from ACL PING_CORE ??
11-19-2022 05:14 AM
From Cisco Doc.
"""If an access list is referenced by a name, but the access list does not exist, all packets pass. An interface or command with an empty access list applied to it permits all traffic into the network."""
11-21-2022 06:33 AM
Thank you for replays, both are helpful and answered my question; but I have to mention, that I'm surprised about both of you. I read a lot of your posts and did't got the feeling, like you have any trouble with reading text ... thats why I'm surprised
@MHM Cisco World wrote:ip access-list extended PING_CORE
10 deny icmp host 11.0.0.1 host 11.0.0.2 <<- do you delete this ACE
20 permit ip any any <<- do you delete this ACE
do you delete both ACE from ACL PING_CORE ??
where you self quoted: "In next step I just delete the ACL" <-- ACL, there wasn't a word about ACE.
Futhermore, there was quote from show command to verify configuration:
SW2(config)#do s run int po1 | in access-group
ip access-group PING_CORE in
SW2#sh ip access-lists PING_CORE
SW2#
@balaji.bandi wrote:First thing you did not mention where did you created ACL ? where did you apply (on what switch ?)
-->the access-list PING_CORE is applied on int po1 in IN direction on SW2
This issue I remembered completly wrong. Just to verify similar topics, may be I'm also here wrong:
redistribute connected route-map DELETED_RM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide