Tuesday, May 10, 2011

Order Matters When Denying Ip Ranges in Access Control Lists

Always make sure that every thing is in Correct order.

When setting up access control lists, you may have lines denying particular IPs, but these are ignored if they’re in the wrong order. Cisco processes access-list deny requests only for IPs that haven’t already been explicitly permitted.
For example, suppose you want to permit all IP addresses in a particular subdomain, with a given exception.
If you issue a “permit” clause with the access-list command, this will permit the entire range of IPs you specify. That means any “deny” clause that happens later will ignore any IPs you already permitted. So if you want to specify a range of addresses that you don’t want to permit, issue the “deny” first, before doing a “permit” for any range that includes the range you’re denying.
On the other hand, you can specify all IP ranges you want to permit, and then deny all other possible IPs with a “deny ip any any” clause. For example, the following command for access-list 101 denies all IPs that you hadn’t already permitted in lines above it:

 access-list 101 deny ip any any

0 Responses to “Order Matters When Denying Ip Ranges in Access Control Lists”

Post a Comment

All Rights Reserved Tech-next| | Blogger Template by Bloggermint
© TECH NEXT INDIA 2011. Powered by Blogger.