Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
699
Views
10
Helpful
10
Replies

Extended ACL IP Suite Behavior

Go to solution
SailorChris
Level 1
Level 1

‎07-22-2022 07:08 AM - last edited on ‎07-23-2022 02:09 AM by Community Manager

What is the behavioral difference in the following?

permit ip 192.168.1.1 0.0.0.255 192.168.2.1 0.0.0.255

deny any any

-and-

permit ip 192.168.1.1 0.0.0.255 192.168.2.1 0.0.0.255 any

deny any any


Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎07-22-2022 07:17 AM

any at end of ACL of IP ?
are you sure the router accept this command ??
there is no any with IP the any after source IP or destaintion IP use only for L4 port.

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to SailorChris

‎07-22-2022 12:58 PM - last edited on ‎07-23-2022 02:18 AM by Community Manager

If you suspect that the ACL drop the packet or not 

show ip access-list

 
you must see match 
and for troublshouting, 

config deny any any

in end of ACL 
and 

show ip access-list

 
see if

deny any any

have match or not

View solution in original post

10 Replies 10

Go to solution
MHM Cisco World
VIP
VIP

‎07-22-2022 07:17 AM

any at end of ACL of IP ?
are you sure the router accept this command ??
there is no any with IP the any after source IP or destaintion IP use only for L4 port.

0 Helpful

Go to solution
SailorChris
Level 1
Level 1
In response to MHM Cisco World

‎07-22-2022 09:04 AM - last edited on ‎07-23-2022 02:12 AM by Community Manager

Let me rephrase.

if there is: 

permit ip 192.168.1.1 0.0.0.255 192.168.2.1 0.0.0.255
deny any any

By using the IP Suite, this should allow all TCP, UDP, ICMP protocols. 

I read in another forum that if written like this and a

deny any any

is at the end, those protocols are dropped if not specifically called on. Is this true?

I have a server connected to one vlan that receives all the information from that vlan and there are three acls connecting the other two vlans to the one however, netstat does not show that it is passing the specific port traffic and the server is not collecting the information as it should. 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to SailorChris

‎07-22-2022 10:38 AM - last edited on ‎07-23-2022 02:15 AM by Community Manager

"If there is: 

permit ip 192.168.1.1 0.0.0.255 192.168.2.1 0.0.0.255
deny any any

By using the IP Suite, this should allow all TCP, UDP, ICMP protocols."

Only for the source and destination IPs are within the corresponding /24 source and destination networks.

As your source and destination networks are different, you would also need to insure the ACL is applied, correctly, to match source and destination.  I.e. your ACL, if applied to both directions of traffic, would block one direction and permit the other.

A both directions ACL might be written as:

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
deny any any

BTW, as you're matching /24 networks, usually the network IP would be .0, not .1, although either will function the same.
Also every ACL ends with an explict

deny any any

  Often you only include the ACE, explicitly, it if your looking to obtain a count for packets falling through to end of ACL and/or you wish to "log" such packets.

0 Helpful

Go to solution
SailorChris
Level 1
Level 1
In response to Joseph W. Doherty

‎07-22-2022 12:46 PM

I was reading in another forum that the deny any any would block the tcp, udp and icmp portion of ip suite.
This is why I ask this.
I am wondering if this was true or not as I have a system right now that I ran netstat on and the ports are not coming through which re-enforces what was stated. I would like to eliminate this prospect but have yet to see the answer.
I have always believed that the ip suite would allow the protocols.
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to SailorChris

‎07-22-2022 12:58 PM - last edited on ‎07-23-2022 02:18 AM by Community Manager

If you suspect that the ACL drop the packet or not 

show ip access-list

 
you must see match 
and for troublshouting, 

config deny any any

in end of ACL 
and 

show ip access-list

 
see if

deny any any

have match or not

Go to solution
SailorChris
Level 1
Level 1
In response to MHM Cisco World

‎07-22-2022 02:45 PM

Thank you. I completely forgot about that.

I got what I was looking for with that. 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to SailorChris

‎07-22-2022 01:13 PM - last edited on ‎07-23-2022 02:19 AM by Community Manager 

Deny any any

does block all that hits such a rule, but again, the ACL you posted includes networks that need to match too.

If you want to allow all IP and block all else, that might be done with:

permit ip any any
deny any any
0 Helpful

Go to solution
SailorChris
Level 1
Level 1
In response to Joseph W. Doherty

‎07-22-2022 02:47 PM

Yes it was a bad example. 

0 Helpful

Go to solution
SailorChris
Level 1
Level 1
In response to Joseph W. Doherty

‎07-22-2022 02:49 PM

this entire session was enlightening even if I gave a bad example. 

You both were very helpful and knowledgeable. 

Hope to be there someday.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-22-2022 09:12 AM

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

This doc. From Cisco for many acl example

Using tcp udp icmp 

Take look

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card