Solved: Re: ACE "deny ip any any" includes whole IP stack?

jmaxwellUSAF · ‎01-02-2023

Hello.

ACE- "deny ip any any". What exactly does "IP" mean here? ,because the next line in the ACL reads...

"permit tcp any any eq 631"

implies TCP within IP.

Thank you!

MHM Cisco World · ‎01-02-2023

for extended ACL there is
ip <<- check the IP header
udp <<- check the L4 UDP port
tcp <<- check the L4 TCP port
icmp <<- check the protocol type ICMP

View solution in original post

Rob Ingram · ‎01-02-2023

@jmaxwellUSAF using "ip" in an ACL would match on source and destination IP address. Whereas using "tcp" in the ACE would match on the source and destination IP and TCP port.

Generally when you permit traffic you are specific with the UDP/TCP port, but denying traffic you generally deny on IP.

View solution in original post

MHM Cisco World · ‎01-02-2023

for extended ACL there is
ip <<- check the IP header
udp <<- check the L4 UDP port
tcp <<- check the L4 TCP port
icmp <<- check the protocol type ICMP

jmaxwellUSAF · ‎01-02-2023

MHM, Is there anything you don't know?

MHM Cisco World · ‎01-02-2023

All thanks to @Rob Ingram I learn from him a lot. and still learning from Him.
so thanks @Rob Ingram

Rob Ingram · ‎01-02-2023

@jmaxwellUSAF using "ip" in an ACL would match on source and destination IP address. Whereas using "tcp" in the ACE would match on the source and destination IP and TCP port.

Generally when you permit traffic you are specific with the UDP/TCP port, but denying traffic you generally deny on IP.

jmaxwellUSAF · ‎01-02-2023

Who is a better captain-- J. Kirk or J. Picard?

Rob Ingram · ‎01-02-2023

@jmaxwellUSAF Sisko

MHM Cisco World · ‎01-02-2023

Happy new year friends.