02-24-2014 03:09 PM - edited 03-10-2019 12:26 PM
Hello,
If I have the access lists configuration mention below. As far the order of operation the router will start top to down until it finds a match. However, let say it permits 10.87.21.155 will it stop there if it finds matches that IP address or will it apply the rest of the IP addresses and do next access lists such as 10.87.6.0. What does it mean by match in regards to acces list. Also it says "permit any" if that command is there what is the point of having the commands before or is there a need for those access list before. Can anyone explain how access list with the matching and permit any statements works?
access-list 10 permit 10.87.21.155
access-list 10 permit 10.87.6.0 0.0.0.255
access-list 10 permit 10.85.3.0 0.0.0.255
access-list 10 permit 10.85.134.0 0.0.0.255
access-list 10 permit any
access-list 10 permit 10.83.17.155
access-list 10 permit 10.83.6.0 0.0.0.255
access-list 10 permit 10.83.2.0 0.0.0.255
access-list 10 permit 10.83.134.0 0.0.0.255
access-list 10 permit any
02-24-2014 03:15 PM
Horacio
An acl is processed from top to bottom. As soon as a line is found that matches the acl processing stops. It doesn't matter if there are entries further down that would also match because it never gets to those entries.
In terms of the acl above anything after the 5th line ie. "permit any" will never be matched because that line matches everything.
Jon
02-24-2014 03:21 PM
Horacio,
In a "standard" acess list like access-list 10
as soon as the source ip address is matched the packet is either permitted and hence forwarded or denied and dropped dependinding on what the list says.
At the end of every access list there is a deny any.
If you do not want this then you can set permit any.
It is good practise to match traffic as near to the top of the list as possible as you are wasting cpu time
by searching through very long lists.
This link will help you:-
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Regards,
Alex.
Please rate useful posts.
02-24-2014 03:38 PM
Why would the fifth line "access-list 10 permit any" be even use in this configuration?
02-24-2014 03:44 PM
Horacio,
Look at what the list is saying.
permit a
permit b
permit c
permit d
permit any
So what is the point of the list al all.
permit any is going to pass all traffic so in affect the list is pointless.
you would use something like this but in reverse.
deny a
deny b
deny c
deny d
permit any
so a,b,c,d would be dropped but everything else will be forwarded.
Regards,
Alex.
Please rate useful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide