[c-nsp] LOG ACL
Gert Doering
gert at greenie.muc.de
Mon Jan 30 17:25:08 EST 2006
Hi,
On Sun, Jan 29, 2006 at 11:27:17PM -0500, Ed Ravin wrote:
> Something like this:
>
> ip access list extended log_an_ip
> permit ip host 1.2.3.4 any log
> permit ip any host 1.2.3.4 log
> permit ip any any
> deny ip any any
>
> You need the deny at the end in some environments because the ACL
> will be optimized into a no-op since it permits all traffic.
The last sentence is definitely not true on any cisco router. All ACLs
end with an implicit "deny ip any any".
It's a bit different for route-maps without an explicit permit/deny at
the end, but in ACLs, I have not seen a single case where it didn't
work as expected.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list