Filter
Top Products
24-4 Riverstone Networks RS Switch Router User Guide Release 8.0
ACL Basics Access Control List Configuration
If you were to reverse the order of the two rules:
all TCP packets would be allowed to go through, including traffic from subnet 10.2.0.0/16. This is because TCP traffic
coming from 10.2.0.0/16 would match the first rule and be allowed to go through. The second rule would not be looked
at since the first match determines the action taken on the packet.
24.1.3 Implicit Deny Rule
At the end of each ACL, the system automatically appends an implicit deny rule. This implicit deny rule denies all
traffic. For a packet that doesn’t match any of the user-specified rules, the implicit deny rule acts as a catch-all rule.
All packets match this rule.
This is done for security reasons. If an ACL is misconfigured, and a packet that should be allowed to go through is
blocked because of the implicit deny rule, the worst that could happen is inconvenience. On the other hand, if a packet
that should not be allowed to go through is instead sent through, there is now a security breach. Thus, the implicit deny
rule serves as a line of defense against accidental misconfiguration of ACLs.
To illustrate how the implicit deny rule is used, consider the following ACL:
With the implicit deny rule, this ACL actually has three rules:
If a packet comes in and doesn't match the first two rules, the packet is dropped. This is because the third rule (the
implicit deny rule) matches all packets.
Although the implicit deny rule may seem obvious in the above example, this is not always the case. For example,
consider the following ACL rule:
acl 101 permit tcp any any any any
acl 101 deny tcp 10.2.0.0/16 any any any
acl 101 permit ip 1.2.3.4/24
acl 101 permit ip 4.3.2.1/24 any nntp
acl 101 permit ip 1.2.3.4/24 any any any
acl 101 permit ip 4.3.2.1/24 any nntp any
acl 101 deny any any any any any
acl 102 deny ip 10.1.20.0/24 any any any