Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12663
Views
0
Helpful
2
Replies

Confirmation on "deny any any log"

Go to solution
news2010a
Level 3
Level 3

‎09-10-2009 09:58 AM - edited ‎03-06-2019 07:40 AM

Folks, just wanted to confirm this is right:

Imagine people is not sure which IP's should be allowed on a certain ACL. Then I need to find it. I thought about adding a "deny any any log" to the end of the ACl. The way I understand is that the "deny any any" is at the end of every single ACL anyway and all I will do is to gather "log" output, correct?

extended ip access-list MYACL

10 permit icmp any any

20 permit host 1.1.1.1 any

30 permit, etc

40 deny ...

100 permit ip any any

200 deny any any log <=== Add deny here

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-10-2009 10:04 AM

Marlon

Conceptually you are correct that every access list has a deny any any at its end. And what you are doing is to make that explicit and adding the log parameter which will generate a log record showing what was denied.

This is the only reliable way to determine what should have been permitted and that was missed in constructin the access list.

Be aware that when you use the log parameter in the access list it will result in process switching of that packet since the CPU must be engaged to create the log entry.

And in the particular example that you give specifying the deny any any log is useless. If the preceeding line was permit any any then nothing will ever hit the final deny any any log.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-10-2009 10:04 AM

Marlon

Conceptually you are correct that every access list has a deny any any at its end. And what you are doing is to make that explicit and adding the log parameter which will generate a log record showing what was denied.

This is the only reliable way to determine what should have been permitted and that was missed in constructin the access list.

Be aware that when you use the log parameter in the access list it will result in process switching of that packet since the CPU must be engaged to create the log entry.

And in the particular example that you give specifying the deny any any log is useless. If the preceeding line was permit any any then nothing will ever hit the final deny any any log.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
kumarlokesh2090
Level 1
Level 1
In response to Richard Burts

‎07-29-2020 02:12 PM

If I do not add the "deny ip any any", will it allow to the traffic to flow?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card