cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2265
Views
0
Helpful
5
Replies

Default behaviour without ACLs

gavinfoster
Level 1
Level 1

Hello,

I have a Cisco 2600 with IOS 12.3.  I need a very basic configuration to allow traffic between two LANs. To test this I cleared the router config to the factory default state and configured my network addresses on the interfaces.

When I connected a PC to each interface I found they could ping each other, I was expecting to have to write ACLs to permit the traffic into the interfaces, thinking that the default behaviour of the router would be to deny access.

Could someone explain the default bahaviour without any ACLs or other routing configurations?

My config, such as it is, is as follows:

Current configuration : 770 bytes

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

boot-start-marker

boot-end-marker

clock timezone GMT 0

no network-clock-participate slot 1

no network-clock-participate wic 0

no aaa new-model

ip subnet-zero

no ip cef

interface FastEthernet0/0

description interface to core router

ip address ???.49.213.134 255.255.255.252

duplex auto

speed auto

interface FastEthernet0/1

description customer LAN

ip address ???.162.200.233 255.255.255.248

duplex auto

speed auto

no ip http server

no ip http secure-server

ip classless

line con 0

line aux 0

line vty 0 4

login

end

5 Replies 5

Jeff Van Houten
Level 5
Level 5

The default configuration of a router is to route packets. Each acl has an implicit deny ace at the end, but if no acl exists all traffic is allowed.

Sent from Cisco Technical Support iPad App

Thanks Jeff,

In this case is the routing implicit because the destination IPs are in the subnet as the router's interfaces?

short answer, yes. If you run sh ip route command you'll see the routing table. This lists all the routes known by the router with a default for all unknown addresses. Routes are listed by destination subnet. In your case the routes will be marked as having been learned by "c", or connected. So, yes the subnet mask of the interface determines the addresses accessible over that interface.

Sent from Cisco Technical Support iPad App

Correction. The subnet mask and the address on the interface determines the networks accessible over that interface, absent a routing protocol or static routes providing ADDITIONAL routes.

Sent from Cisco Technical Support iPad App

adam.sibille
Level 1
Level 1

To somewhat add on to what Jeff is saying, a router by default will route traffic on it's directly connected interfaces.  The only exception is when you try to route traffic from a private address to a public address.  Now later if you add a second router in the mix, you will have to use static routes or a routing protocol to allow communication between those subnets since other router's subnets aren't directly connected.

If you were configuring a firewall type device, say an ASA, then you would have to edit the acls applied to it's interfaces to allow traffic to pass from one security zone to another.