Route-Map Access-list !!!

Answered Question
Nov 10th, 2008
User Badges:

Hello,

I am creating the following route-maps. I am sure my understanding is correct, but wanted to be very sure.


I am creating following route-maps.


route-map Router1_to_Router2export permit

match ip address Router1_to_Router2


ip access-list standard Router1_to_Router1

permit 192.168.0.0 0.0.0.255


So in the above i am only sending from Router # 1 to Router # 2 192.168.0.0/24 and nothing else. So after permit statement it will automatically have deny any any...So far right..


Now if i leave "ip access-list standard Router1_to_Router1

" blank like this ...then it means send everything or permit any ...Right so far...kindly confirm I will appreciate...


Thanks


ip access-list standard Router1_to_Router1


Correct Answer by Richard Burts about 8 years 5 months ago

Syed


I believe that you are correct. If the access list is empty then everything is permitted. As soon as there is the first statement in the access list then there is the implicit deny any at the bottom that will deny anything that is not permitted.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
John Blakley Mon, 11/10/2008 - 11:01
User Badges:
  • Purple, 4500 points or more

If I understand your question, when you create an acl with a "blank" entry, then it's going to deny anything and everything.


--John

Richard Burts Mon, 11/10/2008 - 11:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The behavior when you assign an access list to an interface and the access list is empty changed. The old behavior was as John describes it and everything was denied (it enforced the implicit deny any at the bottom). Quite a while ago the behavior changed and now if you apply an empty (blank) access list to an interface it will permit everything. I assume that the behavior is the same in the route map.


HTH


Rick

John Blakley Mon, 11/10/2008 - 11:25
User Badges:
  • Purple, 4500 points or more

I didn't realize they changed it. :-) I remember doing that by accident one day and all of my traffic came to a halt outbound.


Thanks Rick!


John

Richard Burts Mon, 11/10/2008 - 11:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


no problem. You would think that the old behavior (deny everything) was more logically consistent. I am guessing that enough people made that mistake that Cisco changed and helps protect us from that error.


HTH


Rick

shassan655 Mon, 11/10/2008 - 11:29
User Badges:

Hello,

So in my Scenario, if i have an access-list and nothing is defined under it, then in my understanding it's all PERMIT. But if the access-list has even 1 permit statement under it and that access-list is under the Route-map then only that permit statement will be allowed and everything else will be denied...Right...as per my Question above..


Thanks.,..

Correct Answer
Richard Burts Mon, 11/10/2008 - 11:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Syed


I believe that you are correct. If the access list is empty then everything is permitted. As soon as there is the first statement in the access list then there is the implicit deny any at the bottom that will deny anything that is not permitted.


HTH


Rick

Richard Burts Mon, 11/10/2008 - 11:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Syed


I am glad that the responses from John and me were helpful. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that there were responses which did resolve the question.


The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.


HTH


Rick

Actions

This Discussion