Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Permit Access-list command followed by permit ip any any

Hi.I was wondering why the access-list below (from a practice test question) has the 10 and 40 permit commands when It ends with permit ip any any.

  If there going to be permitted with the ip any any, what's the point of Issuing those specific commands? Is It for logging the hit counts ?

      

Extended IP access list stop-packets

   10 permit tcp host 10.1.1.2 eq www any (12 matches)

   20 deny   udp host 10.1.1.1 10.1.2.0 0.0.0.255 (0 matches)

   30 deny   ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 (3452 matches)

   40 permit tcp 10.1.4.0 0.0.1.255 10.1.5.0 0.0.0.255 eq www any (3 matches)

   70 permit ip any any (0 matches)

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Gold

Permit Access-list command followed by permit ip any any

Without knowing more about the environment in which the access list was developed and in which it is used it is difficult to say with certainty why something was done. But the most logical explanation for the permit statements at 10 and at 40 was that they wanted to see the hit count for these particular types of traffic.

HTH

Rick

Permit Access-list command followed by permit ip any any

Hi,

Always ACL filtering happens in a sequence. Having the permit ip any any in the end will permit all the traffic except the deny ACL mentioned in the Line 20 or 30. However they could have made the ACL to have those 2 deny statements on the top and permit ip any any on the end. May be for a specific case they would have written that ACL for only http traffic from the specific hosts to be monitored or something. As far as we see there is no hits in the permit ip any any. So all the traffic is hitting only http port from those 2 lines.

If they do cut through proxy method all the denied traffic will bypass the proxy and permit statements will have the proxy authentication. But in this case am not sure cut through proxy will come in to the picture.

Please do rate if the given information helps.

By

Karthik

2 REPLIES
Hall of Fame Super Gold

Permit Access-list command followed by permit ip any any

Without knowing more about the environment in which the access list was developed and in which it is used it is difficult to say with certainty why something was done. But the most logical explanation for the permit statements at 10 and at 40 was that they wanted to see the hit count for these particular types of traffic.

HTH

Rick

Permit Access-list command followed by permit ip any any

Hi,

Always ACL filtering happens in a sequence. Having the permit ip any any in the end will permit all the traffic except the deny ACL mentioned in the Line 20 or 30. However they could have made the ACL to have those 2 deny statements on the top and permit ip any any on the end. May be for a specific case they would have written that ACL for only http traffic from the specific hosts to be monitored or something. As far as we see there is no hits in the permit ip any any. So all the traffic is hitting only http port from those 2 lines.

If they do cut through proxy method all the denied traffic will bypass the proxy and permit statements will have the proxy authentication. But in this case am not sure cut through proxy will come in to the picture.

Please do rate if the given information helps.

By

Karthik

2303
Views
0
Helpful
2
Replies
CreatePlease to create content