Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Basic ACL question 2

Status
Not open for further replies.
North323

North323

Technical User
Jan 13, 2009
966
US
I thought that acl's are processed top down...correct? so what is the best way these rules should be added:


access-list 100 deny ip 14.2.6.0 0.0.0.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 224.0.0.0 15.255.255.255 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny icmp any any echo log
access-list 100 deny icmp any any redirect log
access-list 100 deny icmp any any mask-request log
access-list 100 deny udp any any log
access-list 100 permit ip any X.Y.156.0 0.0.0.127 log


or

access-list 100 permit ip any X.Y.156.0 0.0.0.127 log
access-list 100 deny ip 14.2.6.0 0.0.0.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 224.0.0.0 15.255.255.255 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny icmp any any echo log
access-list 100 deny icmp any any redirect log
access-list 100 deny icmp any any mask-request log
access-list 100 deny udp any any log
 
Sort by date Sort by votes
I will tell you one thing "permit ip any any" needs to be at the bottom or no traffic will be allowed.

The first list is what you want.
 
Upvote 0 Downvote
Upvote 0 Downvote
I always use named extended acl's. It makes it easy logically for people to troubleshoot down the road. Additionally it is a million times to edit later on.


 
Upvote 0 Downvote
If

access-list 100 permit ip any X.Y.156.0 0.0.0.127 log

is all you want, then that is the only statement you need---no deny statements are necessary, if this is the only traffic you need.

Brian---you can edit numbered acl's the same way you edit named acls, after release 12.1 or something. Also, keeping this in mind, you can put "description filter blabla traffic" in there as well.

Burt
 
Upvote 0 Downvote
Yes, burt I was aware ... I just used named acls as its easier for me to remember what the acl is used for in my old age and all. :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
235
Zero6
Zero6
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
190
burtsbees
burtsbees
acabezas2014
  • Locked
  • Question
Create ACL for ip range
Replies
2
Views
168
acabezas2014
acabezas2014
mkc1962
  • Locked
  • Question
Cisco 2602e connection question
Replies
0
Views
106
mkc1962
mkc1962
azrael2000
  • Locked
  • Question
quick question...re layer 3 with routing
Replies
1
Views
183
chieftan
chieftan

Part and Inventory Search

Sponsor

Back
Top