04-26-2005 10:16 AM - edited 02-20-2020 09:27 PM
should we need to add a deny at the end of permit statements in an AL.
thanks
04-26-2005 10:33 AM
The behavior of the access list will be the same whether you add a deny at the end or not. There is an implicit deny all at the end of every access list. So any packet that gets to the bottom of the access list without being permitted will be denied whether you have added a deny or not.
Many of us do add a deny at the end even if it is not needed. Sometimes it is helpful to see the deny in understanding the functionality of the access list. And some of us like having a deny at the end so that when we do a show access-list we can look at the counters and see how many packets got to the bottom and got denied.
So I would say that you might decide that you want to add the deny but that you do not need to do so.
HTH
Rick
04-26-2005 11:13 PM
As Rick says, functionally is does not make any difference.
I like to put an explicit deny at the end of the access-list with the log keywork, so that I can track down the access violations. However, this does tend to make everything process switched, and so can affect the performance of the system.
Another thing to consider on IOS prior to 12.2(15)T is that if you put an explicit deny at the end of the list, there is no way to add further permit lines. The only way was to blow away the whole access-list and start over. After that version the access-list lines were numbered, so you can insert lines at will.
Kevin Dorrell
Luxembourg
04-27-2005 03:26 AM
does named access list are supported after ver 12.2(15).
04-27-2005 03:38 AM
Named access-lists were supported well before 12.2(15) - from 11.2 onwards in fact.
What 12.2(15)T added was line numbers on access lists, so that you could insert an extra line in the middle of a list.
Kevin Dorrell
Luxembourg
04-27-2005 03:48 AM
what's the command to insert line in the middle of list and we can also remove a particular line tht's
deny in our case in named ACL know...
04-27-2005 04:05 AM
Here is a document all about it:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
Hope this helps.
Kevin Dorrell
Luxembourg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide