acl

Answered Question

hi! if i add in a permit ip any any command at the bottom of a list of permit acl command on top, will the final result still be deny all for those ip not in the permit list on top of the permit ip any any command?

I have this problem too.
0 votes
Correct Answer by Kevin Dorrell about 9 years 2 months ago

No, if you have a load of permits followed by permit ip any any, the net result is to permit anything at all.

Kevin Dorrell

Luxembourg

Correct Answer by Jon Marshall about 9 years 2 months ago

Hi

If you add a permit ip any any at the bottom of your acl and all you have are other "permit" statements above it then in effect you may as well not apply the access-list because you are not stopping any traffic.

There is an implict deny ip any any at the end of an access-list but if you put "permit ip any any" at the end then yu never get to the "deny" statement.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Sun, 09/16/2007 - 23:34

Hi

If you add a permit ip any any at the bottom of your acl and all you have are other "permit" statements above it then in effect you may as well not apply the access-list because you are not stopping any traffic.

There is an implict deny ip any any at the end of an access-list but if you put "permit ip any any" at the end then yu never get to the "deny" statement.

HTH

Jon

Correct Answer
Kevin Dorrell Sun, 09/16/2007 - 23:35

No, if you have a load of permits followed by permit ip any any, the net result is to permit anything at all.

Kevin Dorrell

Luxembourg

Kevin Dorrell Mon, 09/17/2007 - 04:04

In that case practically only UDP will be allowed. The ICMP and TCP will be blocked by the access-list. But the implicit deny will still not have any effect because the permit ip any any allows "anything else".

Kevin Dorrell

Luxembourg

Actions

This Discussion