09-16-2007 11:25 PM - edited 03-05-2019 06:30 PM
hi! if i add in a permit ip any any command at the bottom of a list of permit acl command on top, will the final result still be deny all for those ip not in the permit list on top of the permit ip any any command?
Solved! Go to Solution.
09-16-2007 11:34 PM
Hi
If you add a permit ip any any at the bottom of your acl and all you have are other "permit" statements above it then in effect you may as well not apply the access-list because you are not stopping any traffic.
There is an implict deny ip any any at the end of an access-list but if you put "permit ip any any" at the end then yu never get to the "deny" statement.
HTH
Jon
09-16-2007 11:35 PM
No, if you have a load of permits followed by permit ip any any, the net result is to permit anything at all.
Kevin Dorrell
Luxembourg
09-16-2007 11:34 PM
Hi
If you add a permit ip any any at the bottom of your acl and all you have are other "permit" statements above it then in effect you may as well not apply the access-list because you are not stopping any traffic.
There is an implict deny ip any any at the end of an access-list but if you put "permit ip any any" at the end then yu never get to the "deny" statement.
HTH
Jon
09-17-2007 04:00 AM
hi! how about if i've a list of the following statement. Will the implicit deny still take effect? will the router block any tcp, icmp traffic in this case?
deny icmp any any
deny tcp any any
permit ip any any
09-16-2007 11:35 PM
No, if you have a load of permits followed by permit ip any any, the net result is to permit anything at all.
Kevin Dorrell
Luxembourg
09-17-2007 04:01 AM
hi! how about if i've a list of the following statement. Will the implicit deny still take effect? will the router block any tcp, icmp traffic in this case?
deny icmp any any
deny tcp any any
permit ip any any
09-17-2007 04:04 AM
In that case practically only UDP will be allowed. The ICMP and TCP will be blocked by the access-list. But the implicit deny will still not have any effect because the permit ip any any allows "anything else".
Kevin Dorrell
Luxembourg
09-17-2007 04:14 AM
Hi ,
Please check the below link which clears u r doubt and very useful.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
Cheers :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: