quick ACL query

alliasneoalliasneo Member Posts: 186
in CCNA & CCENT
Hey guys,

Just wanted to double check something.

Am I correct in thinking that if you add an ACL e.g:

#access-list 20 deny 172.20.20.0 0.0.0.255

and then after put in:

#access-list 20 permit any

This second line will negate the implicit deny rule? If this line was not in place then it would automatically drop all packets? Just curious about this line?

Thanks
· Share on FacebookShare on Twitter

Comments

  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    Yes. It will negate the deny rule.
    Yes. The un-listed "Deny any any" statement will kick in right after the first Deny statement. It will block any packets that are not filtered out from the first-most statement(s)

    For example, this is the address:
    172.20.20.0 /27

    access-list 20 deny 172.20.20.0 0.0.0.3
    ** Block 172.20.20.0 - .3**
    access-list 20 permit 172.20.20.0 0.0.0.7
    ** Permit 172.20.20.0 - .7 **
    (( Applied outbound in fa0/0 ))
    (( Packet is sent SA: 172.20.20.129 ))
    (( Blocked outbound at fa0/0, after being routed to the interface ))

    If you want to watch the [show access-list] increment the unwritten "deny any ", just type it in. "access-list 20 deny any" to watch the counter increment higher. Pretty sweet.
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

    · Share on FacebookShare on Twitter
  • alliasneoalliasneo Member Posts: 186
    Roguetadhg wrote: »
    Yes. It will negate the deny rule.
    Yes. The un-listed "Deny any any" statement will kick in right after the first Deny statement


    Cool, that's great thanks.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.