ACL

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
If I deny a certain host, does it mean that the other hosts are allowed?

Thanks in advance!

The Dude



Re: ACL
I have just read that chapter- as far as I know you must put in a
permit any statement below the first deny host line, there is a deny
any by default at the end of any acl- I am sure I will be corrected ;)
The Dude wrote:
Quoted text here. Click to load it


Re: ACL

Quoted text here. Click to load it

Thanks for answering so quickly.
I just clarified it and wanted to reply to myself :)
You are right, if we do not put "permit any" then, " implicit deny " any
takes place.

The Dude



Re: ACL

Quoted text here. Click to load it

An acl is parsed until a match takes place then no further processing is
done.  So if you have a deny entry that gets a match having a line that
permits that packet immediately following is pointless because the packet
has already been denied.  The general rule of thumb is to allow what's
needed and allow the explicit deny at the end take care of the rest.  There
are exceptions to this of course.  Also only log what's necessary.

BernieM



Re: ACL
Every access-list has an implicit deny at the end.

Want to permit network traffic for 3 hosts and not anyone else?  Enter this:

access-list 67 permit host 192.168.1.5
access-list 67 permit host 192.168.1.6
access-list 67 permit host 192.168.1.7

The router actually treats it as if it was entered like this:

access-list 67 permit host 192.168.1.5
access-list 67 permit host 192.168.1.6
access-list 67 permit host 192.168.1.7
access-lsit 67 deny any

Want to deny network traffic for 3 hosts and permit everyone else?  Enter
this:

access-list 67 deny host 192.168.1.5
access-list 67 deny host 192.168.1.6
access-list 67 deny host 192.168.1.7
access-list 67 permit any

This is needed because otherwise without that 4th line, the "always there"
implicit deny will also deny everything else.



Site Timeline