ACL Implicit deny

Camster187

Was doing an extended ACL on a packet tracer lab of which the final statement was: all other access is implicitly denied - as an objective. As far as I am aware nothing needs to be typed at the end of an ACL if you plan to implicitly deny all other traffic. However this packet tracer lab acually wanted me to type 'deny ip any any.' Just wondering if this came up in the exam would I be expected to type it out as the ACL will naturally do whats been asked anyway?

laidbackfreak

If you get something like that in an exam situation my advice would be to actually type in the commands. While you understand that the rule is there thats a good thing, would you really want to risk losing points due to a silly interpretation of a question.

Camster187

laidbackfreak wrote: »

If you get something like that in an exam situation my advice would be to actually type in the commands. While you understand that the rule is there thats a good thing, would you really want to risk losing points due to a silly interpretation of a question.

Thats a fair point really, it's something I will have to start making a habit of from now in that case. Thanks.

bermovick

I'm not sure I would 100% agree with that, although I can see both arguments being valid.

On one hand, Jeremy from CBTNuggets said it's not a bad idea to add the deny any any line to the end of your ACL's just so when you're reviewing them you don't have to always remember it's there, which makes sense. Plus your lab apparently wanted it added.

On the other hand though, it's there for a reason, and you'd think a Cisco exam wouldn't make you add it to an ACL when Cisco coded in the automatic deny any any, or mark you wrong for not adding something that they already (invisibly) do. Plus the word implicit does mean 'implied, rather than expressly stated' (among other definitions), suggesting the implied deny any any at the end should be enough.

wbosher

A good reason for manually typing the deny any statement is so that when you do a show access-list you can see how many matches this got.

Forsaken_GA

ive gotten in the habit of adding the deny at the end for the reason stated above - i dont forget about it when reviewing acl's. we can all do boneheaded stuff and forget the basics, that's just one way to guard against it.

And it's not likely you'd be counted off on the exam if you did add it, though if it was looking for it, it would count against you, so just be safe and manually add it

bermovick

That's a good point. The exams don't ding you if you do something beyond what's required to 'pass' the question, only if you don't. So it's probably best after all!

Forsaken_GA

bermovick wrote: »

That's a good point. The exams don't ding you if you do something beyond what's required to 'pass' the question, only if you don't. So it's probably best after all!

Generally, if you're trying to do more than the exam requires, the sim will yell at you and say that's not enabled, so you know you're barking up the wrong tree. I can't see them disabling the ability to add a deny all to an access list though

PhildoBaggins

This seems like it would be a non-issue. The test wont trick yah.

If its hard coded in the IOS it should be part of the test sim unless specified in the question

Paul Boz

I manage about 600 firewalls that all have a "deny any any" at the end. Its childish but I just feel better with the statement there.