Hi- I know it might sound a silly doubt- but i need to know-ACL
happyalways
Member Posts: 14 ■□□□□□□□□□
in CCNA & CCENT
Hi.
I have read about ACL and saw a few videos as well..But got a doubt
My doubt is - "I know there is an implicit DENY ALL statement at the end of all the ACL's . For eg- This is the scenario - i want to restrict only a particular host and should permit only the 2nd and 3 rd ip in tht subnet- and permit every one else- say that restricted ip is 192.168.1.1/24
so according to me , my acl sttmts would be -as ACL is applied from TOP TO BOTTOM
ACL X( The acl number )
"permit 2nd ip of the subnet - wildcard bits
permit 3rd ip of the subnet- wildcard bits
deny 192.168.1.1 0.0.0.0
permit all "
-->>One of my other friend, who is also appearing for the exam, is telling me that the permit all sttmt should be first
"ACL X( The acl number )
permit all
permit 2nd ip of the subnet - wildcard bits
permit 3rd ip of the subnet- wildcard bits
deny 192.168.1.1 0.0.0.0 "
I want to know wat is the correct procedure- Anyone on this forum-Its little urgent- Have my exam on monday ..
Thanks
I have read about ACL and saw a few videos as well..But got a doubt
My doubt is - "I know there is an implicit DENY ALL statement at the end of all the ACL's . For eg- This is the scenario - i want to restrict only a particular host and should permit only the 2nd and 3 rd ip in tht subnet- and permit every one else- say that restricted ip is 192.168.1.1/24
so according to me , my acl sttmts would be -as ACL is applied from TOP TO BOTTOM
ACL X( The acl number )
"permit 2nd ip of the subnet - wildcard bits
permit 3rd ip of the subnet- wildcard bits
deny 192.168.1.1 0.0.0.0
permit all "
-->>One of my other friend, who is also appearing for the exam, is telling me that the permit all sttmt should be first
"ACL X( The acl number )
permit all
permit 2nd ip of the subnet - wildcard bits
permit 3rd ip of the subnet- wildcard bits
deny 192.168.1.1 0.0.0.0 "
I want to know wat is the correct procedure- Anyone on this forum-Its little urgent- Have my exam on monday ..
Thanks
Comments
-
boredgamelad
Member Posts: 365 ■■■■□□□□□□
You're right. In your friend's ACL, every packet would match the "permit" in the first line and the packet would be allowed. None of the other lines would matter because they wouldn't be read. -
happyalways
Member Posts: 14 ■□□□□□□□□□
thanks boredgamelad-
also - if i give permit all acl sttmt as the last line in my ACL- does it mean that it negates the deny all sttmt
and then there is no purpose of writing an ACL with just 1 sttmt-permit any any .
Right? ok let me ask again - If i give permit any any- ACL is useless right? -
lantech
Member Posts: 329
It will read the ACLs in the order that you write them. Once it finds a match it then stops reading the ACL and performs the action that is matched. So if your first statement is permit all then everything will be matched and it will stop reading the ACL and let everything through.2012 Certification Goals
CCENT: 04/16/2012
CCNA: TBD -
Death Dream
Member Posts: 149
It will read the ACLs in the order that you write them. Once it finds a match it then stops reading the ACL and performs the action that is matched. So if your first statement is permit all then everything will be matched and it will stop reading the ACL and let everything through.
Exactly. You shouldn't listen to your friend anymore haha