09-10-2009 09:58 AM - edited 03-06-2019 07:40 AM
Folks, just wanted to confirm this is right:
Imagine people is not sure which IP's should be allowed on a certain ACL. Then I need to find it. I thought about adding a "deny any any log" to the end of the ACl. The way I understand is that the "deny any any" is at the end of every single ACL anyway and all I will do is to gather "log" output, correct?
extended ip access-list MYACL
10 permit icmp any any
20 permit host 1.1.1.1 any
30 permit, etc
40 deny ...
100 permit ip any any
200 deny any any log <=== Add deny here
Solved! Go to Solution.
09-10-2009 10:04 AM
Marlon
Conceptually you are correct that every access list has a deny any any at its end. And what you are doing is to make that explicit and adding the log parameter which will generate a log record showing what was denied.
This is the only reliable way to determine what should have been permitted and that was missed in constructin the access list.
Be aware that when you use the log parameter in the access list it will result in process switching of that packet since the CPU must be engaged to create the log entry.
And in the particular example that you give specifying the deny any any log is useless. If the preceeding line was permit any any then nothing will ever hit the final deny any any log.
HTH
Rick
09-10-2009 10:04 AM
Marlon
Conceptually you are correct that every access list has a deny any any at its end. And what you are doing is to make that explicit and adding the log parameter which will generate a log record showing what was denied.
This is the only reliable way to determine what should have been permitted and that was missed in constructin the access list.
Be aware that when you use the log parameter in the access list it will result in process switching of that packet since the CPU must be engaged to create the log entry.
And in the particular example that you give specifying the deny any any log is useless. If the preceeding line was permit any any then nothing will ever hit the final deny any any log.
HTH
Rick
07-29-2020 02:12 PM
If I do not add the "deny ip any any", will it allow to the traffic to flow?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide