dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
18
HELLFIRE
MVM
join:2009-11-25

2 edits

HELLFIRE to krock83

MVM

to krock83

Re: [CCNA] ACL's

corrected / clarified, I knew should've consulted my little black book on this one...

CCNA factoids to know (according to the good book of Cisco) :

- standard ACLs are put close to the source and extended ACLs are put close to the destination.
For some reason CCNA WILL drill these two points into you.

- ACLs are processed in top-down order

- there is an implicit deny at the end of every list, but as cramer pointed out, it depends on the
way the ACL is constructed

- ACLs use the wildcard mask, ie. "permit 192.168.1.0 0.0.0.255" would permit anything matching pattern
192.168.1.[anything]. The way to think of how this operates is for a 0 means that particular bit will
be checked for a match, while a 1 means it will not be checked for a match.

Thanks for the correction cramer

EDIT : wanted to ask where you came across about an 'implicit permit'. First time I've heard of it.

Regards
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer

Premium Member

said by HELLFIRE:

- standard ACLs are put close to the source and extended ACLs are put close to the destination.
What does that even mean? Std acls only have one address -- I'll assume they mean "source address". Extd acls specify both src and dst addresses. (I don't use std acls (where possible) because of this ambiguity.)
EDIT : wanted to ask where you came across about an 'implicit permit'. First time I've heard of it.
IOS 10.0 documentation from decades past (and maybe pix docs.) It's not like Cisco engineers don't wake up one morning and decide to change the way stuff has worked for 10 years. *cough*asa 8.3*cough*