Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
810
Views
5
Helpful
5
Replies

Basic query regarding ACL

Go to solution
mukundh86
Level 1
Level 1

‎03-14-2011 04:22 PM - edited ‎03-06-2019 04:04 PM

Hi

I have  a very basic question regarding ACL operation. Say I have an access-list as follows

access-list 101 deny ip any host 4.2.2.2

access-list 101 permit tcp any host 4.2.2.2 eq 80

If my understanding is correct, tany http traffic to 4.2.2.2 will be denied right?

For the same access-list will http traffic to 4.2.2.2 be denied if replace the first statement with deny icmp any host 4.2.2.2?

Thanks

Mukundh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎03-14-2011 11:38 PM

Hi Eugene,

For the same access-list will http traffic to 4.2.2.2 be denied if replace the first statement with deny icmp any host 4.2.2.2?

I don't agree with you when you say yes to this question because the second line is a permit and so replacing the first line with deny icmp will permit

http traffic to 4.2.2.2 as the implicit deny is after the second line.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Eugene Lau
Cisco Employee
Cisco Employee

‎03-14-2011 04:29 PM

Hi Mukundh,

access-list 101 deny ip any host 4.2.2.2  <<----- denies all IP packet to 4.2.2.2

access-list 101 permit tcp any host 4.2.2.2 eq 80  <<--- is redundant as all packets are dropped by first line (ACE - access control entry)

Edit to clear behavioiur up:

access-list 101 deny icmp any host 4.2.2.2 <<------ deny ICMP to 4.2.2.2

access-list 101 permit tcp any host 4.2.2.2 eq 80 <<------ allow only HTTP port 80 request to 4.2.2.2

<<<<<<<<<<<<<<< drop everything else

Thus HTTP port 80 would not be dropped in this type of ACL.

HTH

Eugene

Go to solution
mukundh86
Level 1
Level 1
In response to Eugene Lau

‎03-17-2011 12:12 PM

Thanks a lot!!!!

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎03-14-2011 11:38 PM

Hi Eugene,

For the same access-list will http traffic to 4.2.2.2 be denied if replace the first statement with deny icmp any host 4.2.2.2?

I don't agree with you when you say yes to this question because the second line is a permit and so replacing the first line with deny icmp will permit

http traffic to 4.2.2.2 as the implicit deny is after the second line.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Eugene Lau
Cisco Employee
Cisco Employee
In response to cadet alain

‎03-14-2011 11:46 PM

Alain you are correct! Apologies, I read it wrong when I answered yes.

I think I over complicated the description as well when I mentioned that HTTP to 4.2.2.2 would still be allowed Will edit.

0 Helpful

Go to solution
mukundh86
Level 1
Level 1
In response to cadet alain

‎03-17-2011 12:12 PM

Thanks a lot Alain

0 Helpful
Customers Also Viewed These Support Documents