[c-nsp] LOG ACL
Tim Franklin
tim at colt.net
Tue Jan 31 05:44:43 EST 2006
> The last sentence is definitely not true on any cisco router.
> All ACLs
> end with an implicit "deny ip any any".
>
> It's a bit different for route-maps without an explicit permit/deny at
> the end, but in ACLs, I have not seen a single case where it didn't
> work as expected.
Crypto maps? ACLs that have at least one entry do end with the implicit
"deny ip any any", but IME non-existant ACLs are treated as "permit ip any
any" rather than deny.
This is a good way to shoot yourself in the foot if you're doing in-band
managenent - 'no access-list blah' (in preparation for a new ACL) without
removing the crypto map from the WAN interface starts trying to encrypt /
decrypt your management traffic along with everything else, and locks you
out of the box.
While you can train / process around it, it's ever so faintly annoying when
someone forgets.
Regards,
Tim.
--
____________ Tim Franklin e: tim at colt.net
\C/\O/\L/\T/ Product Engineering Manager w: www.colt.net
V V V V Managed Data Services t: +44 20 7863 5714
Data | Voice | Managed Services f: +44 20 7863 5876
More information about the cisco-nsp
mailing list