[c-nsp] std acl funnies
Saku Ytti
saku+cisco-nsp at ytti.fi
Thu Oct 30 05:57:30 EDT 2008
I just had to share this.
q: can host 42.42.42.42 telnet to the router?
#conf term
ip access-list standard foo
permit 10.0.0.0 0.255.255.255
deny any log
line vty 0 15
access-class foo in
end
ip access-list standard foo
permit host 42.42.42.42
end
#sh ip access-list foo
Standard IP access list foo
30 permit 42.42.42.42
10 permit 10.0.0.0, wildcard bits 0.255.255.255
20 deny any log
Answer is yes, 42.42.42.42 can telnet to the router and
it's expected and documented[0].
IOS still manages to surprise me on issues I thought
to be trivial and thoroughly understood :).
[0] http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#editacls
'The major difference in a standard access list is that the Cisco IOS adds an entry by descending order of the IP address, not on a sequence number.'
--
++ytti
More information about the cisco-nsp
mailing list