Thursday, September 16, 2010

Applying a nonexistent access list to an interface in IOS

An interesting issue came up at work that puzzled me. I know from experience that if you configure an access list in IOS and there is no entry in it, it acts as an permit any...and once there is an ACE in the access list, the deny-by-default function begins. However, what if an access list that doesn't exist is applied to an interface? Does it deny or accept?

Wendell Odom indicated in one article that it might deny all traffic:

"Implicit deny at the end of every access-list. Check first if you have it applied somewhere (interface, NAT, protocol, ...), else you can block all traffic when you point to non-existent access list"

But that wasn't good enough for me. I had to know for sure. Fortunately I was on a 6500 and had the luxury of polling the tcam. Here is the scenario:

A dummy interface is configured and given a valid ingress access list and a nonexistent egress access list.

interface GigabitEthernet1/1
description dummy interface
ip address 10.10.10.9 255.255.255.248
ip access-group traffic_IN in
ip access-group traffic_OUT out


Let's see what happens.

Router#show tcam int gi1/1 acl out ip

* Global Defaults shared


Entries from Bank 0

permit ip any any (128 matches)

Entries from Bank 1


The TCAM is showing it is permitting all traffic - just like it would an empty access list. I am not saying Odom is incorrect. This is just the behavior on a 6500 running 12.2SX* code. Since 6500s handle access lists in the TCAM, it might accept whereas a software-based router (eg 7200) might deny. It is nice the 6500 has a means to show us this without really messing with the access list config and possibly contaminating the scene. In addition, a quick search will show you that, depending what you do with an access list, all sorts of different things can happen - in line with Odom's statement regarding NAT, protocols, etc.

No comments:

Post a Comment