RE: Nesting ACLs - update

From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Fri Aug 05 2005 - 14:37:36 GMT-3

• Next message: Edwards, Andrew M: "Need another set of eyes... Mqc matching mime types"
• Previous message: James Ventre: "Re: Nesting ACLs - update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I still get matches on the permits in the individual ACLs. The denys get
counted on the DROP ACL.

One note - while playing with this, I found that adding the keyword "log" to
the end of an ACL statement in this config renders the statement useless.
For example, if I "permit ip any any" to "permit ip any any log" in the DROP
ACL, that ACL is not used so everything goes into the class-default class
where it is permitted by the policy. Removing the "log" keyword corrects
the problem and now traffic is once again blocked as it should be. I've
heard of other issues with the log keyword but not this so I'm glad you
asked!

Rik

-----Original Message-----
From: James Ventre [mailto:messageboard@ventrefamily.com]
Sent: Friday, August 05, 2005 12:48 PM
To: ccielab@groupstudy.com
Subject: Re: Nesting ACLs - update

Guyler, Rik wrote:
>I wanted to report back that I worked out a solution to nest ACLs by
using a service policy.

Did you lose your ability to see ACE matches/hits/counters?

James

• Next message: Edwards, Andrew M: "Need another set of eyes... Mqc matching mime types"
• Previous message: James Ventre: "Re: Nesting ACLs - update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:18 GMT-3