44.2.1.1 Implicating “Deny Any Data Flow” Rule
Statement
The ending part of each access list implicates a ―Deny any data flow‖ rule statement.
Therefore, if a packet matches no rule, it is denied.
as shown in the following example:
access-list 1 permit host 192.168.4.12
This list allows only the packets of host 192.168.4.12 and denies any other host. This is
because the list contains the following rule statement at the end: access-list 1 deny any
Here is another example:
Access-list 1 deny host 192.168.4.12
If the list contains the only statement above, the packets from any host will be denied on the
port.
It is required to consider the routing update packet when defining the
access list. Since the end of the access list ―denies all dataflow‖, this may
cause all routing update packets blocked.
44.2.1.2 Order of Entering Rule Statements
Each added rule is appended to the access list. If a statement is created, then you cannot
delete it separately and can only delete the whole access list. Therefore, the order of access
list statements is very important. When deciding to forward or block packets, a device
compares packets and statements in the order of statement creation. After finding a
matching statement, it will not check other rule statements.
If you have created a statement and it allows all data flows to pass, the following statements
will not be checked.
as shown in the following example:
access-list 101 deny ip any any
access-list 101 permit tcp 192.168.12.0 0.0.0.255 eq telnet any
Because the first rule statement denies all IP packets, the host Telnet packet of the
192.168.12.0/24 network will be denied. When the device discovers that the packets match
the first rule statement, it will not check other rule statements.
44.2.2 Configuring IP Access List
The configuration of the basic access list includes the following steps:
Define a basic access list
Apply the access list to a specific interface.
To Next Page
Loading...
Need help?
General