[c-nsp] LOG ACL
Gert Doering
gert at greenie.muc.de
Tue Jan 31 06:16:47 EST 2006
Hi,
On Tue, Jan 31, 2006 at 10:44:43AM -0000, Tim Franklin wrote:
> > The last sentence is definitely not true on any cisco router.
> > All ACLs
> > end with an implicit "deny ip any any".
> >
> > It's a bit different for route-maps without an explicit permit/deny at
> > the end, but in ACLs, I have not seen a single case where it didn't
> > work as expected.
>
> Crypto maps? ACLs that have at least one entry do end with the implicit
> "deny ip any any", but IME non-existant ACLs are treated as "permit ip any
> any" rather than deny.
Yep, this is correct, for all sort of "packet matching" ACLs - but not
necessarily so for route export/import ACLs.
For *existing* ACLs, there's always a "deny ip any any" at the end...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list