|
|
| justindu 2003-09-15, 9:16 am |
| Do ACLs always end with a permit any any statement?? | |
| Humbug 2003-09-15, 9:21 am |
| On the contrary, they always ends up with implicit deny all | |
| justindu 2003-09-15, 10:29 am |
| Sorry let me rephrase.. The last line on any ACL should end with permit any any right? | |
| darthfeces 2003-09-15, 10:57 am |
| only if that's you're goal .....
to permit any after you've filtered what you want to filter ....
as already stated there is an implicit deny any at the end. or you could add deny any log if you'd like to see what's being knocked down .... | |
| martek 2003-09-15, 11:22 am |
| The following examples should make things clear:
Let's say you want to allow everything from network 205.205.200.0 and deny everything else. Thus:
access-list 1 permit 205.205.200.0 0.0.0.255
That's it. You don't put 'permit any' at the end cause then everything would be allowed thru, which is not what you want. The implied 'deny any' will deny everything else, which is what you want.
Now rephrase the question to 'deny everything from 205.205.200.0 and permit everything else' and you get:
access-list 1 deny 205.205.200.0 0.0.0.255
access-list 1 permit any
Now you need to put the 'permit any' at the end cause otherwise everyone else would be denied based on the implied 'deny any'. You just want to deny the 205.205.200.0 network.
I hope this helps.  | |
| justindu 2003-09-15, 11:25 am |
| Perfect! THanks! |
|
|
|