09-14-2006 07:12 AM - edited 03-03-2019 05:02 AM
Hi all, when people set up there access lists, do you generally permit the traffic you want, then use the implicit deny all, or do you deny the ones you dont want then permit all at the bottom ?
09-14-2006 07:41 AM
Carl,
Please refer the below URLs and most of your questions should be answered here. I have also included a URL that discusses about Improving Security on Cisco Routers that you will find every useful.
Transit Access Control Lists: Filtering at Your Edge
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Configuring Commonly Used IP ACLs
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
Configuring IP Access Lists
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Improving Security on Cisco Routers
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
I hope it helps.
Regards,
Arul
09-14-2006 10:17 PM
Depends on what you want to do. Essentially, configure the most specific requirement into the access list.
Example 1:
You have 100 subnets. You must deny ALL but 2 subnets: 192.168.1.0/24 and 10.1.1.0/24.
Then what you do is: create access list to PERMIT these two subnets, and leave the others matched to the default deny any.
Example 2:
As per above, but you must DENY the two subnets.
Then what you do is: create access list to DENY these two subnets, then add "permit any any" at the end of the access list.
HTH
09-15-2006 01:13 AM
Carl,
While setting up an access list, it is advisable to keep frequently matching permit/deny statements which match your traffic pattern at top of the list in order to save device cpu and memory utilization as access list is processed sequentially.
09-15-2006 06:30 AM
Hi Carl,
we generally permit the traffic we want, then use the implicit deny all. Moreover we neednot specifically mention deny all
09-15-2006 03:09 PM
Hi Carl
Yes it is, when you configure an Access List there is an implicit deny at the end (and you cannot see it) so if all the statements in the ACL are deny, all trafic will be deny. That means that the ACL must have at least one permit statement. You can also configure an ACL with all permit statements and no deny-statement, so the access list will permit trafic that macht with the statements and deny the rest (with the implicit deny).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: