ACL question

WHen no access list statements match the packet being checked, the packet is allowed.

True or False?

What do you all think? I say theres no way to tell with this amount of information. Wouldn't you have to know whether permit ip any any was at the end of the statement. If it was not, then yes the packet will get denied.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

darkchronos

well if i remember correctly theres an implicit "deny all" at the end of every access list ....
... so false

NeonNoodle

Netstudent wrote:

WHen no access list statements match the packet being checked, the packet is allowed.

True or False?

What do you all think? I say theres no way to tell with this amount of information. Wouldn't you have to know whether permit ip any any was at the end of the statement. If it was not, then yes the packet will get denied.

'permit ip any any' is a match for all IP packets, so it can't be in the access list. And, as was mentioned above, all access lists end with an implicit deny all. So, I would agree the answer is false.

larkspur

I second what darkchronos said.

Slowhand

Yup. Anyone who has ever been logged in remotely to a router, created an ACL rule, and then "applied" the list with a misspelled name or the wrong number, can tell you that no packets go in or out thanks to that implicit deny statement at the end of every ACL. Nothing says "shame" quite like having to trudge to the server room with a laptop under one arm, a rollover cable in the other hand, and your head hanging down as you go to fix your self-imposed lockout.

LOkrasa

Slowhand wrote:

Yup. Anyone who has ever been logged in remotely to a router, created an ACL rule, and then "applied" the list with a misspelled name or the wrong number, can tell you that no packets go in or out thanks to that implicit deny statement at the end of every ACL. Nothing says "shame" quite like having to trudge to the server room with a laptop under one arm, a rollover cable in the other hand, and your head hanging down as you go to fix your self-imposed lockout.

Sounds like someone speaking from experience... hehe

Netstudent

NeonNoodle wrote:

Netstudent wrote:

WHen no access list statements match the packet being checked, the packet is allowed.

True or False?

What do you all think? I say theres no way to tell with this amount of information. Wouldn't you have to know whether permit ip any any was at the end of the statement. If it was not, then yes the packet will get denied.

'permit ip any any' is a match for all IP packets, so it can't be in the access list. And, as was mentioned above, all access lists end with an implicit deny all. So, I would agree the answer is false.

okay so if permit ip any any was issued, then that would constitute a match and therefore is irrelevant to the question. *sigh* long day....

Slowhand

Netstudent wrote:

okay so if permit ip any any was issued, then that would constitute a match and therefore is irrelevant to the question. *sigh* long day....

Well, your original question is perfectly reasonable. Can you tell, by the statement "When no access list statements match the packet being checked, the packet is allowed." is a big clue to the answer. If you knew nothing else about an ACL, aside from the fact that a packet being checked doesn't match any of the rules stated, then you'd know that the packet is going to be dropped and that the statement is false. You're very correct, a "permit any any" statement would constitute a match, but the original question doesn't mention it. If you saw that as a question on an exam, for example, or you were trying to troubleshoot an ACL, then that would be enough to know that the packet hits the built-in "deny" statement at the end, and gets dropped.