08-25-2019 02:53 AM
This document shows a list of IP protocols that are possible in the protocol field of the IPv4 header. ICMP is protocol 1, TCP is 6, and UD is 17. If I use a "permit ip any any" in a Cisco extended ACL, what protocol(s) are included in the permit statement?
SWITCH(config-ext-nacl)#permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
SWITCH(config-ext-nacl)#
Solved! Go to Solution.
08-25-2019 12:29 PM - edited 08-25-2019 12:32 PM
Hello Brian,
the
permit ip any any statement covers all possible protocols over IPv4
In other words to satify this statement it is just enough to have a valid IPv4 packet with any source address and any destination regardless of whatever upper layer is involved ( UDP or TCP or OSPF or L2TPv3 (that is protocol 115 in decimal).
As noted by Martin this kind of statement stops the packet examination at OSI layer 3 only, and it does not care of L4 protocol in use.
In ACLs specially for security reasons we are asked to configure the most specific statements, so for example it is common to see requirements that says host A of Client X should be able to contact a server B on a datacenter on TCP port 445 (the list of ports to be allowed may be long some times).
There are use cases for permit ip any any:
specially if you design an ACL with a deny first logic (also called negative logic) after several specific deny statements you want to allow everything else (overriding the hidden deny any any logic in ACL).
In cases like this permit ip any any is very handy.
As noted by Martin in ACLs the order of statements is very important to achieve the desired effects.
Hope to help
Giuseppe
08-25-2019 04:12 AM - edited 08-25-2019 04:12 AM
permit ip any any - it self have self explanatory, means any source to any destination allowed - on the particular interface these ACL applied
good example near by to you to understand :
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html
08-25-2019 08:25 AM
You also need to know where u are in OSI model. IP works in L3, TCP/UDP are L4,
for example, if u do line 10 permit ip any any, then line 40 deny tcp, line 40 will not work. you have to move line 40 below 10, like line 9 to block tcp connection
Regards, ML
**Please Rate All Helpful Responses **
08-25-2019 09:13 AM
08-25-2019 12:29 PM - edited 08-25-2019 12:32 PM
Hello Brian,
the
permit ip any any statement covers all possible protocols over IPv4
In other words to satify this statement it is just enough to have a valid IPv4 packet with any source address and any destination regardless of whatever upper layer is involved ( UDP or TCP or OSPF or L2TPv3 (that is protocol 115 in decimal).
As noted by Martin this kind of statement stops the packet examination at OSI layer 3 only, and it does not care of L4 protocol in use.
In ACLs specially for security reasons we are asked to configure the most specific statements, so for example it is common to see requirements that says host A of Client X should be able to contact a server B on a datacenter on TCP port 445 (the list of ports to be allowed may be long some times).
There are use cases for permit ip any any:
specially if you design an ACL with a deny first logic (also called negative logic) after several specific deny statements you want to allow everything else (overriding the hidden deny any any logic in ACL).
In cases like this permit ip any any is very handy.
As noted by Martin in ACLs the order of statements is very important to achieve the desired effects.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide