01-30-2003 04:59 AM - edited 02-20-2020 09:20 PM
While testing shunning to a router, the acl's it creates and uses creates entries at the bottom of the acl's. If you have a permit statement at the end of the preshun acl, such as permit ip any any, the shun will have no effect.
Does it always append to the end of an acl? I understand that permitting only the traffic you need and blocking all else is the preferred method, but sometimes that just isn't possible. Is there a workaround or am I missing the boat here? Why wouldn't the entries be made at the top of the acl, where it seems more appropriate anyway? (I do understand permits should always be first so that permitted traffic doesn't have to traverse the acl deeper than necessary for performance reasons.)
01-30-2003 06:30 AM
Place the ACL statements that should precede the sensor shuns in a
preshun acl. Place the ACL statements that should follow the sensor
shuns in postshun acl. In your example, the permit ip any any statement
would be deleted from the preshun ACL and added to the postshun ACL.
01-30-2003 07:38 AM
That works, of course. Thanks!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide