Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
5
Helpful
5
Replies

access lists

carl_townshend
Spotlight
Spotlight

‎09-14-2006 07:12 AM - edited ‎03-03-2019 05:02 AM

Hi all, when people set up there access lists, do you generally permit the traffic you want, then use the implicit deny all, or do you deny the ones you dont want then permit all at the bottom ?

Labels:
0 Helpful
5 Replies 5

ajagadee
Cisco Employee
Cisco Employee

‎09-14-2006 07:41 AM

Carl,

Please refer the below URLs and most of your questions should be answered here. I have also included a URL that discusses about Improving Security on Cisco Routers that you will find every useful.

Transit Access Control Lists: Filtering at Your Edge

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Configuring Commonly Used IP ACLs

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

Configuring IP Access Lists

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Improving Security on Cisco Routers

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

I hope it helps.

Regards,

Arul

0 Helpful

mchoo2005
Level 1
Level 1

‎09-14-2006 10:17 PM

Depends on what you want to do. Essentially, configure the most specific requirement into the access list.

Example 1:

You have 100 subnets. You must deny ALL but 2 subnets: 192.168.1.0/24 and 10.1.1.0/24.

Then what you do is: create access list to PERMIT these two subnets, and leave the others matched to the default deny any.

Example 2:

As per above, but you must DENY the two subnets.

Then what you do is: create access list to DENY these two subnets, then add "permit any any" at the end of the access list.

HTH

0 Helpful

sourabhagarwal
Level 4
Level 4

‎09-15-2006 01:13 AM

Carl,

While setting up an access list, it is advisable to keep frequently matching permit/deny statements which match your traffic pattern at top of the list in order to save device cpu and memory utilization as access list is processed sequentially.

danielmassey
Level 1
Level 1

‎09-15-2006 06:30 AM

Hi Carl,

we generally permit the traffic we want, then use the implicit deny all. Moreover we neednot specifically mention deny all

0 Helpful

nicocerti
Level 1
Level 1

‎09-15-2006 03:09 PM

Hi Carl

Yes it is, when you configure an Access List there is an implicit deny at the end (and you cannot see it) so if all the statements in the ACL are deny, all trafic will be deny. That means that the ACL must have at least one permit statement. You can also configure an ACL with all permit statements and no deny-statement, so the access list will permit trafic that macht with the statements and deny the rest (with the implicit deny).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents