Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Confirmation on "deny any any log"

Folks, just wanted to confirm this is right:

Imagine people is not sure which IP's should be allowed on a certain ACL. Then I need to find it. I thought about adding a "deny any any log" to the end of the ACl. The way I understand is that the "deny any any" is at the end of every single ACL anyway and all I will do is to gather "log" output, correct?

extended ip access-list MYACL

10 permit icmp any any

20 permit host 1.1.1.1 any

30 permit, etc

40 deny ...

100 permit ip any any

200 deny any any log <=== Add deny here

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Re: Confirmation on "deny any any log"

Marlon

Conceptually you are correct that every access list has a deny any any at its end. And what you are doing is to make that explicit and adding the log parameter which will generate a log record showing what was denied.

This is the only reliable way to determine what should have been permitted and that was missed in constructin the access list.

Be aware that when you use the log parameter in the access list it will result in process switching of that packet since the CPU must be engaged to create the log entry.

And in the particular example that you give specifying the deny any any log is useless. If the preceeding line was permit any any then nothing will ever hit the final deny any any log.

HTH

Rick

1 REPLY
Hall of Fame Super Gold

Re: Confirmation on "deny any any log"

Marlon

Conceptually you are correct that every access list has a deny any any at its end. And what you are doing is to make that explicit and adding the log parameter which will generate a log record showing what was denied.

This is the only reliable way to determine what should have been permitted and that was missed in constructin the access list.

Be aware that when you use the log parameter in the access list it will result in process switching of that packet since the CPU must be engaged to create the log entry.

And in the particular example that you give specifying the deny any any log is useless. If the preceeding line was permit any any then nothing will ever hit the final deny any any log.

HTH

Rick

3501
Views
0
Helpful
1
Replies
CreatePlease to create content