Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
0
Helpful
6
Replies

acl

Go to solution
dkblee
Level 1
Level 1

‎09-16-2007 11:25 PM - edited ‎03-05-2019 06:30 PM

hi! if i add in a permit ip any any command at the bottom of a list of permit acl command on top, will the final result still be deny all for those ip not in the permit list on top of the permit ip any any command?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-16-2007 11:34 PM

Hi

If you add a permit ip any any at the bottom of your acl and all you have are other "permit" statements above it then in effect you may as well not apply the access-list because you are not stopping any traffic.

There is an implict deny ip any any at the end of an access-list but if you put "permit ip any any" at the end then yu never get to the "deny" statement.

HTH

Jon

View solution in original post

0 Helpful

Go to solution
Kevin Dorrell
Level 10
Level 10

‎09-16-2007 11:35 PM

No, if you have a load of permits followed by permit ip any any, the net result is to permit anything at all.

Kevin Dorrell

Luxembourg

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-16-2007 11:34 PM

Hi

If you add a permit ip any any at the bottom of your acl and all you have are other "permit" statements above it then in effect you may as well not apply the access-list because you are not stopping any traffic.

There is an implict deny ip any any at the end of an access-list but if you put "permit ip any any" at the end then yu never get to the "deny" statement.

HTH

Jon

0 Helpful

Go to solution
dkblee
Level 1
Level 1
In response to Jon Marshall

‎09-17-2007 04:00 AM

hi! how about if i've a list of the following statement. Will the implicit deny still take effect? will the router block any tcp, icmp traffic in this case?

deny icmp any any

deny tcp any any

permit ip any any

0 Helpful

Go to solution
Kevin Dorrell
Level 10
Level 10

‎09-16-2007 11:35 PM

No, if you have a load of permits followed by permit ip any any, the net result is to permit anything at all.

Kevin Dorrell

Luxembourg

0 Helpful

Go to solution
dkblee
Level 1
Level 1
In response to Kevin Dorrell

‎09-17-2007 04:01 AM

hi! how about if i've a list of the following statement. Will the implicit deny still take effect? will the router block any tcp, icmp traffic in this case?

deny icmp any any

deny tcp any any

permit ip any any

0 Helpful

Go to solution
Kevin Dorrell
Level 10
Level 10
In response to dkblee

‎09-17-2007 04:04 AM

In that case practically only UDP will be allowed. The ICMP and TCP will be blocked by the access-list. But the implicit deny will still not have any effect because the permit ip any any allows "anything else".

Kevin Dorrell

Luxembourg

0 Helpful

Go to solution
smothuku
Level 7
Level 7

‎09-17-2007 04:14 AM

Hi ,

Please check the below link which clears u r doubt and very useful.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

Cheers :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card