Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
6
Replies

access list

aksher
Level 1
Level 1

‎04-26-2005 10:16 AM - edited ‎02-20-2020 09:27 PM

should we need to add a deny at the end of permit statements in an AL.

thanks

Labels:
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎04-26-2005 10:33 AM

The behavior of the access list will be the same whether you add a deny at the end or not. There is an implicit deny all at the end of every access list. So any packet that gets to the bottom of the access list without being permitted will be denied whether you have added a deny or not.

Many of us do add a deny at the end even if it is not needed. Sometimes it is helpful to see the deny in understanding the functionality of the access list. And some of us like having a deny at the end so that when we do a show access-list we can look at the counters and see how many packets got to the bottom and got denied.

So I would say that you might decide that you want to add the deny but that you do not need to do so.

HTH

Rick

HTH

Rick
0 Helpful

Kevin Dorrell
Level 10
Level 10

‎04-26-2005 11:13 PM

As Rick says, functionally is does not make any difference.

I like to put an explicit deny at the end of the access-list with the log keywork, so that I can track down the access violations. However, this does tend to make everything process switched, and so can affect the performance of the system.

Another thing to consider on IOS prior to 12.2(15)T is that if you put an explicit deny at the end of the list, there is no way to add further permit lines. The only way was to blow away the whole access-list and start over. After that version the access-list lines were numbered, so you can insert lines at will.

Kevin Dorrell

Luxembourg

0 Helpful

aksher
Level 1
Level 1
In response to Kevin Dorrell

‎04-27-2005 03:26 AM

does named access list are supported after ver 12.2(15).

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to aksher

‎04-27-2005 03:38 AM

Named access-lists were supported well before 12.2(15) - from 11.2 onwards in fact.

What 12.2(15)T added was line numbers on access lists, so that you could insert an extra line in the middle of a list.

Kevin Dorrell

Luxembourg

0 Helpful

aksher
Level 1
Level 1
In response to Kevin Dorrell

‎04-27-2005 03:48 AM

what's the command to insert line in the middle of list and we can also remove a particular line tht's

deny in our case in named ACL know...

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to aksher

‎04-27-2005 04:05 AM

Here is a document all about it:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html

Hope this helps.

Kevin Dorrell

Luxembourg

0 Helpful
Customers Also Viewed These Support Documents