[c-nsp] "dynamic" access-list
Ueli Heuer
papierkuebel at gmail.com
Sat Jun 11 19:45:54 EDT 2005
On 6/11/05, Scott Weeks <surfer at mauigateway.com> wrote:
>
>
> Hello,
>
> Did anyone get back to you on this?
>
> now I tried to ping the hosts from a 'wrong' IP-Address, to check if
> the access list is working. I did not believe, the pings replied!
>
> There're no denies on the ACLs. Everything is allowed and that's why the
> ping replies came back to you.
You forgot there is not written `deny ip any any` at the end of every
ip access-list
this is not needed to write.
the workaround standard accesslist works like expected:
ip access-list standard DSLAMs
permit a.b.c..0 0.0.0.255
the mysterious thing is, the accesslist changed from time to time!
the configured statement was
permit udp a.b.c.0 0.0.0.255 any eq snmp
and it changed to
permit udp a.b.c.0 0.0.0.255 0.0.0.0 0.0.0.3 eq snmp
or
permit udp a.b.c.0 0.0.0.255 0.0.0.0 0.0.0.7 eq snmp
or
permit udp a.b.c.0 0.0.0.255 0.0.0.0 0.0.0.15 eq snmp
und this is for shure not wat I configured.
Kind regards,
Ueli
More information about the cisco-nsp
mailing list