..deny ip any 10.0.0.0 0.255.255.255 (594854 matches)
..permit ip 10.0.0.0 0.255.255.255 any (4623174 matches)
Would you want to re-enter the access list entries in descending count order? Or maybe not. I see that sorting this list in descending count order produces this:
..access-list 109 deny ip any 10.0.0.0 0.255.255.255
..access-list 109 permit udp any any eq bootps
This order prevents some hits on the 2nd entry that were permitted in the original order... Right?
Would you remove the entries that are getting zero hits?
2. There's an implicit deny at the end of an access list. But, if you included an explicit, "deny ip any any" as your last statement, wouldn't that help by letting you get a count of traffic that got that far?
Generally speaking, while I get rules of ACLs conceptually speaking, I have no actual experience. I'm looking for ways to understand the effects of changes, and to evaluate if ACLs have unnecessary entries, or even contradictory entries...
You are asking a good question about a topic that is quite complex and subtle. There are several things that one must be thinking about when you start to optimize an access list. I believe that two of these are:
1) is the access list achieving the intended result? is the right traffic being permitted and the right traffic being denied. To achieve this I usually advocate arranging the access list from most specific to more general (permit or deny hosts, then permit or deny subnets, then permit or deny networks, then permit or deny any). I believe this has the best chance of achieving correct behavior.
2) is the access list as efficient as possible? To achieve this one would want the access list entries with the most hits to come earliest in the access list. But the danger of this is that you may get the results that you point out where you deny any packet with source address in network 10 before you permit udp bootps from anywhere. As you point out the result is that no one in network 10 can do bootps.
So you need to thing carefully as you start to optimize the access list that you do not compromise its functionality.
Your second point is about specifically coding deny any any at the end of the access list. As you point out one benefit of this is that you would then get packet counts of what is falling through. And knowing this can be useful in some circumstances. Many of us do typically code access lists that way. But others do not code the deny any any because it is not needed and they want to minimize the lines in the access list. I do not believe that there is any clear cut answer about which is better.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...