ACL Question

rewindrewind Member Posts: 40 ■■□□□□□□□□
In an extended ACL, say you add the line: permit ip any any. Will this allow esp, eigrp, ospf, and all the other protocols that are listed when you use IOS help after typing permit?

Comments

  • phantasmphantasm Member Posts: 995
    I'll take a shot at this question.

    Since IP is a layer 2 protocol (Network) and so is OSPF, EIGRP, RIP, BGP, IGRP and so on and so forth; theoretically, yes it would.

    I''ll try it when i get home on the lab. But I believe it should.

    If I am wrong, someone correct me. Thanks.
    "No man ever steps in the same river twice, for it's not the same river and he's not the same man." -Heraclitus
  • rewindrewind Member Posts: 40 ■■□□□□□□□□
    Actually sir, IP is layer 3 and BGP is layer 4.

    Thanks for the reply though!
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Actually sir, IP is layer 3 and BGP is layer 4.

    Thanks for the reply though!

    I think he got his DoD and OSI model mixed up.

    If you do not specify, yes it does allow them all. HTH.

    Cheers,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    IP is indeed layer 3

    If you use a permit ip any any, you're telling the router to allow anything that has an IP header regardless of what's in the header. EIGRP for IP uses IP protocol 88 so it has an IP header therefore it will be allowed.
    The only easy day was yesterday!
  • phantasmphantasm Member Posts: 995
    In my own defense, I forgot to count the physical layer since there are no protocols contained within. lol.
    "No man ever steps in the same river twice, for it's not the same river and he's not the same man." -Heraclitus
  • tech-airmantech-airman Member Posts: 953
    In an extended ACL, say you add the line: permit ip any any. Will this allow esp, eigrp, ospf, and all the other protocols that are listed when you use IOS help after typing permit?

    silentbobby,

    The answer to your question is the wonderful "it depends."

    If you specifically have a "deny" statement prior to the "permit ip any any" statement, then whatever you specifically denied will NOT get through. Whatever wasn't specifically denied WILL get through.

    If you specifically have a "deny" statement after the "permit ip any any" statement, then everything will get through because anything matches the statement "any any" therefore will ignore the subsequent "deny" statements.

    Then again, unless this ACL is applied to an interface, the ACL won't block anything.

    I hope this helps.
  • rewindrewind Member Posts: 40 ■■□□□□□□□□
    Thank you all so much for your input. I am never let down in this forum :)

    Take care,
    Chris
Sign In or Register to comment.