Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6541
Views
10
Helpful
4
Replies

What IP protocols does "permit ip any any" include?

Go to solution
Sam Brynes
Level 1
Level 1

‎08-25-2019 02:53 AM

This document shows a list of IP protocols that are possible in the protocol field of the IPv4 header. ICMP is protocol 1, TCP is 6, and UD is 17. If I use a "permit ip any any" in a Cisco extended ACL, what protocol(s) are included in the permit statement?

 

SWITCH(config-ext-nacl)#permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol

SWITCH(config-ext-nacl)#

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-25-2019 12:29 PM - edited ‎08-25-2019 12:32 PM

Hello Brian,

the

permit ip any any statement covers all possible protocols over IPv4

 

In other words to satify this statement it is just enough to have a valid IPv4 packet with any source address and any destination regardless of whatever upper layer is involved ( UDP or TCP or OSPF or L2TPv3 (that is protocol 115 in decimal).

As noted by Martin this kind of statement stops the packet examination at OSI layer 3 only, and it does not care of L4 protocol in use.

In ACLs specially for security reasons we are asked to configure the most specific statements, so for example it is common to see requirements that says host A of Client X should be able to contact  a server B on a datacenter  on TCP port 445  (the list of ports to be allowed may be long some times).

 

There are use cases for permit ip any any:

specially if you design an ACL with a deny first logic (also called negative logic) after several specific deny statements you want to allow everything else (overriding the hidden deny any any logic in ACL).

In cases like this permit ip any any is very handy.

As noted by Martin in ACLs the order of statements is very important to achieve the desired effects.

 

Hope to help

Giuseppe

 

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-25-2019 04:12 AM - edited ‎08-25-2019 04:12 AM

permit ip any any - it self have self explanatory, means any source to any destination allowed - on the particular interface these ACL applied

 

good example near by to you to understand :

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Martin L
VIP
VIP

‎08-25-2019 08:25 AM

 

You also need to know where u are in OSI model.  IP works in L3, TCP/UDP are L4,

for example, if u do line 10 permit ip any any, then line 40 deny tcp, line 40 will not work.  you have to move line 40 below 10, like line 9 to block tcp connection

 

 

Regards, ML
**Please Rate All Helpful Responses **

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-25-2019 09:13 AM

"If I use a "permit ip any any" in a Cisco extended ACL, what protocol(s) are included in the permit statement?"

Any/all, i.e. from 0..255.

BTW, you not limited to those the device support with symbolic labels. I.e. if you enter IP protocol number 1 or ICMP the result is the same. If there is not symbolic label, you could only enter the protocol number.

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-25-2019 12:29 PM - edited ‎08-25-2019 12:32 PM

Hello Brian,

the

permit ip any any statement covers all possible protocols over IPv4

 

In other words to satify this statement it is just enough to have a valid IPv4 packet with any source address and any destination regardless of whatever upper layer is involved ( UDP or TCP or OSPF or L2TPv3 (that is protocol 115 in decimal).

As noted by Martin this kind of statement stops the packet examination at OSI layer 3 only, and it does not care of L4 protocol in use.

In ACLs specially for security reasons we are asked to configure the most specific statements, so for example it is common to see requirements that says host A of Client X should be able to contact  a server B on a datacenter  on TCP port 445  (the list of ports to be allowed may be long some times).

 

There are use cases for permit ip any any:

specially if you design an ACL with a deny first logic (also called negative logic) after several specific deny statements you want to allow everything else (overriding the hidden deny any any logic in ACL).

In cases like this permit ip any any is very handy.

As noted by Martin in ACLs the order of statements is very important to achieve the desired effects.

 

Hope to help

Giuseppe

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card