ACL

If I deny a certain host, does it mean that the other hosts are allowed?

Thanks in advance!

The Dude

Reply to
The Dude
Loading thread data ...

Reply to
gregg johnstone

Thanks for answering so quickly. I just clarified it and wanted to reply to myself :) You are right, if we do not put "permit any" then, " implicit deny " any takes place.

The Dude

Reply to
The Dude

An acl is parsed until a match takes place then no further processing is done. So if you have a deny entry that gets a match having a line that permits that packet immediately following is pointless because the packet has already been denied. The general rule of thumb is to allow what's needed and allow the explicit deny at the end take care of the rest. There are exceptions to this of course. Also only log what's necessary.

BernieM

Reply to
BernieM

Every access-list has an implicit deny at the end.

Want to permit network traffic for 3 hosts and not anyone else? Enter this:

access-list 67 permit host 192.168.1.5 access-list 67 permit host 192.168.1.6 access-list 67 permit host 192.168.1.7

The router actually treats it as if it was entered like this:

access-list 67 permit host 192.168.1.5 access-list 67 permit host 192.168.1.6 access-list 67 permit host 192.168.1.7 access-lsit 67 deny any

Want to deny network traffic for 3 hosts and permit everyone else? Enter this:

access-list 67 deny host 192.168.1.5 access-list 67 deny host 192.168.1.6 access-list 67 deny host 192.168.1.7 access-list 67 permit any

This is needed because otherwise without that 4th line, the "always there" implicit deny will also deny everything else.

Reply to
Overlord

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.