05-18-2009 08:14 AM - edited 03-06-2019 05:46 AM
Hi,
I'm pretty familiar with ALCs, and understand that every access list has an explicit deny any any, so if you just have an "empty" access list it will block all traffic.
I just added two extended access lists to a physical interface, but left them empty. They don't appear to be blocking any traffic??? Are there some cases where explicit deny any any isn't present??? Is there a case where an access-lists on another interface can 'override' this ACL???
thanks, Simon
05-18-2009 08:19 AM
You might want to check which way the ACL is pointing. (IN or OUT of an interface)
05-18-2009 09:00 AM
I actually applied two access lists: one IN and one OUT. No idea what the problem is.
Here is the interface with just the IN (did also try In and OUT):
interface FastEthernet0/0
description DMZ$FW_INSIDE$$ETH-LAN$
ip address 192.168.2.1 255.255.255.0
ip access-group dmz in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
and the empty ACL:
ip access-list extended dmz
05-18-2009 09:07 AM
Simon
The explicit dent any any is true only when the access-list is not empty. If there is at least one entry in an acl then you are correct in what you say but an empty acl will allow all traffic through.
I believe some of the earlier IOS versions did indeed block traffic with an empty acl but this is definitely no longer the case.
Jon
05-18-2009 09:51 AM
Thanks Jon - I thought I was going crazy. A lot of online references for ACLs still say empty ACLs will block, so that's what tripped me up.
Simon
05-18-2009 09:55 AM
One other question: Do ACLs take effect immediately, or is there any instance where I need to do something to make them take effect??? - Simon
05-18-2009 10:03 AM
They take effect as soon as you apply them to the interface.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: