Table of Contents
Advertisement
340
C
15: IP P
HAPTER
Packet Filtering Considerations and Example
Implicit Deny
F
ACKET
ILTERING
This section reviews the considerations you should keep in mind when
creating packet filters, and provides examples using the access-list and
access-class commands.
When configuring packet filtering, consider the information in the next two
sections.
Access lists contain an implicit deny at the end. This means packets for which
no match is found are rejected. When more than one access list is applied to
an interface, non-matching packets are compared to the access-list with the
next highest priority. If a match is still not found, the packet is matched
against the next access list. If, after applying the packet to the final access list
on an interface, a match is not found the packet is dropped.
For example, the following access list will cause all IP packets to be rejected:
cli:172.16.19.10:interface:pos:csi(1/3/1)# access-list
2 deny 1 ip 172.16.19.20 0.0.0.0 any
Because that is the only rule defined in the list, the composition of access list
2 is currently:
deny 172.16.19.20 any
deny any any
All packets are rejected because any 172.16.19.20 source destination is
denied, as well as any packets not matching the 172.16.19.20 due to the
implicit deny. To solve this, place a permit any statement in the list as follows:
cli:172.16.19.10:interface:pos:csi(1/3/1)# access-list
2 permit 2 ip any any
Access list 2 is now comprised of the following rules:
deny 172.16.19.20 any
permit any any
deny any any
ADC Telecommunications, Inc.
Advertisement
Chapters
Table of Contents
