cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
698
Views
10
Helpful
10
Replies

Extended ACL IP Suite Behavior

SailorChris
Level 1
Level 1

What is the behavioral difference in the following?

permit ip 192.168.1.1 0.0.0.255 192.168.2.1 0.0.0.255

deny any any

-and-

permit ip 192.168.1.1 0.0.0.255 192.168.2.1 0.0.0.255 any

deny any any


2 Accepted Solutions

Accepted Solutions

any at end of ACL of IP ?
are you sure the router accept this command ??
there is no any with IP the any after source IP or destaintion IP use only for L4 port.

View solution in original post

If you suspect that the ACL drop the packet or not 

show ip access-list

 
you must see match 
and for troublshouting, 

config deny any any

in end of ACL 
and 

show ip access-list

 
see if

deny any any 

have match or not

View solution in original post

10 Replies 10

any at end of ACL of IP ?
are you sure the router accept this command ??
there is no any with IP the any after source IP or destaintion IP use only for L4 port.

Let me rephrase.

if there is: 

permit ip 192.168.1.1 0.0.0.255 192.168.2.1 0.0.0.255
deny any any

By using the IP Suite, this should allow all TCP, UDP, ICMP protocols. 

I read in another forum that if written like this and a

deny any any 

is at the end, those protocols are dropped if not specifically called on. Is this true?

I have a server connected to one vlan that receives all the information from that vlan and there are three acls connecting the other two vlans to the one however, netstat does not show that it is passing the specific port traffic and the server is not collecting the information as it should. 

"If there is: 

permit ip 192.168.1.1 0.0.0.255 192.168.2.1 0.0.0.255
deny any any

By using the IP Suite, this should allow all TCP, UDP, ICMP protocols."

Only for the source and destination IPs are within the corresponding /24 source and destination networks.

As your source and destination networks are different, you would also need to insure the ACL is applied, correctly, to match source and destination.  I.e. your ACL, if applied to both directions of traffic, would block one direction and permit the other.

A both directions ACL might be written as:

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
deny any any

BTW, as you're matching /24 networks, usually the network IP would be .0, not .1, although either will function the same.
Also every ACL ends with an explict

deny any any

  Often you only include the ACE, explicitly, it if your looking to obtain a count for packets falling through to end of ACL and/or you wish to "log" such packets.

I was reading in another forum that the deny any any would block the tcp, udp and icmp portion of ip suite.
This is why I ask this.
I am wondering if this was true or not as I have a system right now that I ran netstat on and the ports are not coming through which re-enforces what was stated. I would like to eliminate this prospect but have yet to see the answer.
I have always believed that the ip suite would allow the protocols.

If you suspect that the ACL drop the packet or not 

show ip access-list

 
you must see match 
and for troublshouting, 

config deny any any

in end of ACL 
and 

show ip access-list

 
see if

deny any any 

have match or not

Thank you. I completely forgot about that.

I got what I was looking for with that. 

Deny any any

does block all that hits such a rule, but again, the ACL you posted includes networks that need to match too.

If you want to allow all IP and block all else, that might be done with:

permit ip any any
deny any any

Yes it was a bad example. 

this entire session was enlightening even if I gave a bad example. 

You both were very helpful and knowledgeable. 

Hope to be there someday.

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

This doc. From Cisco for many acl example

Using tcp udp icmp 

Take look

Review Cisco Networking for a $25 gift card