Implicit Deny

elementour

Hi,

Im not sure if anyone can answer this or not as i have seen alot of people mention the NDA they have agreed too but i have my first CCNA exam tomorrow and someone i know said that Cisco expect you to add a drop all rule to the end of an access list. i cant see this being true myself but thought i would ask.

cheers folks

Daniel333

Not exactly sure what you are asking here. And no, no one can tell you what was on the test here.

But there is a deny all at the end of every ACL, if you type it there or not. Cisco will expect you to know that on the test and will certainly test you on it. As far as any vlabs on the test, expect them to be real to life. So you won't be expected to put two deny all's.

dtlokee

Sometimes people will add a "deny any log" command (or "deny ip any any log" for extended ACL) so they can log any packets that don't match any rules in the list. If this is the case you will need to explicitly add it.

elementour

cheers for the reply's
i know there is an implit deny any rule on all access lists but what my mate was saying was that when you wrote an access list Cisco expect you to actually add a drop statement and not just rely on the implicit rule. i guess this is to show your work more clearly. i didnt think this was the case but just wanted to check

wapalu

hi
i would soon be sitting for my ccna exams and i've almost gone through Todd lammle's 6th edition study guide. I was just wondering if anyone here knows the areas that are most often tested or areas that are often slippery when it comes to the exams?

laidbackfreak

wapalu wrote: »

hi
i would soon be sitting for my ccna exams and i've almost gone through Todd lammle's 6th edition study guide. I was just wondering if anyone here knows the areas that are most often tested or areas that are often slippery when it comes to the exams?

so for your first post you revive a thread thats 20 months old and ask a question thats not even related to it!!

oh well...... to answer your question, I'd say subnetting, you need to know it inside out. NAT and ACL's are always tricky (trying to get on topic of this thread!) OSI model you must know that inside out.

Sure there'll be a few other suggestions to follow.

so for now welcome to the forum

Pash

laidbackfreak wrote: »

so for your first post you revive a thread thats 20 months old and ask a question thats not even related to it!!

oh well...... to answer your question, I'd say subnetting, you need to know it inside out. NAT and ACL's are always tricky (trying to get on topic of this thread!) OSI model you must know that inside out.

Sure there'll be a few other suggestions to follow.

so for now welcome to the forum

What this chap said +1

This thread is actually a perfect example of why these forums are so so helpful not just from a study perspective or certification perspective but more importantly in real world application of this stuff:-

dtlokee says:-

"Sometimes people will add a "deny any log" command (or "deny ip any any log" for extended ACL) so they can log any packets that don't match any rules in the list. If this is the case you will need to explicitly add it."

The amount of hours of troubleshooting saved by adding commands like this when performing work on ACL's is insane. Reading these posts and these forums does save time, learn from each other!

kryolla

Pash wrote: »

What this chap said +1

This thread is actually a perfect example of why these forums are so so helpful not just from a study perspective or certification perspective but more importantly in real world application of this stuff:-

dtlokee says:-

"Sometimes people will add a "deny any log" command (or "deny ip any any log" for extended ACL) so they can log any packets that don't match any rules in the list. If this is the case you will need to explicitly add it."

The amount of hours of troubleshooting saved by adding commands like this when performing work on ACL's is insane. Reading these posts and these forums does save time, learn from each other!

you can also use ACL to classify traffic to see what kind of traffic is passing through with a permit any at the end

edit:

permit tcp any eq http
permit tcp any eq telnet
permit icmp any
etc
etc
permit ip any for everything else you dont want to see counters

Pash

kryolla wrote: »

you can also use ACL to classify traffic to see what kind of traffic is passing through with a permit any at the end

Well of course, it depends on your scenario though surely? I mean, a highly locked down router or L3 switch might already have hundreds of lines of ACL's in place, aslong as we all remember that ACL's are read sequentially when they checked then there are several options available to us.

Cyanic

I feel sorry for the router and the admin of any 100+ line ACL.

Pash

Cyanic wrote: »

I feel sorry for the router and the admin of any 100+ line ACL.

Agreed, but this is a Bureaucratic world as well all know, everything is audited and then audited some more, ive seen much worse than 500+ ACL lines, poorly designed ACL's, nope....just following customer requirements.

laidbackfreak

Pash wrote: »

Agreed, but this is a Bureaucratic world as well all know, everything is audited and then audited some more, ive seen much worse than 500+ ACL lines, poorly designed ACL's, nope....just following customer requirements.

500 pah thats nothing, I was on a contract a couple of years back for a demerger of two companies that had back to back firewalls in place with around 5000 lines in place !!
It was INSANE, but it worked there was a lot of political infighting going on and non trust going on....

Cyanic

Routers are not firewalls and using them to perform this function is simply bad practice.

Pash

laidbackfreak wrote: »

500 pah thats nothing, I was on a contract a couple of years back for a demerger of two companies that had back to back firewalls in place with around 5000 lines in place !!
It was INSANE, but it worked there was a lot of political infighting going on and non trust going on....

Ohh I hear you, that was just an example figure. I honestly think the inside of me would slowly die without notepad++ and examdiff to work on the configs each time we make changes. We have to enable telnet each time we go onsite to work on a couple of 6509's, no ssh because our customer doesnt wanna pay the IOS feature upgrade costs. Yet they pay IBM Security Pen Testers lord knows what for them to turn around and say telnet is bad......go figure.

Cyanic wrote: »

Routers are not firewalls and using them to perform this function is simply bad practice.

Depends on your scenario again and the requirements. Picture a banking organisation with segregated VLAN's where even traffic internally within the company has to be filtered. To be cost effective, said banking organisation only want's to use the L3 switches in their environment to achieve this, this is where these big configs start to grow as the requests for more traffic passing come in. Sure in the ideal world you would have HA ASA's/SSG's everywhere to act as proper stateful firewalls, but cost is still all relative.