There is always an implict deny any at the end. This is IOS.
However, in some case you can choose to be explicit:
- when you want to log denied packets;
- when you want make sure your collegues understand what did you do, without
doubt, when they will read cfg;
- when you are speaking in IOS syntax to define a rule for something else;
- ...
bye.
-- mirco On Sat, Jun 19, 2010 at 8:45 AM, Taufik Kurniawan <ktaufik_at_gmail.com> wrote: > > > On 18 June 2010 18:44, Mirco Orlandi <mirco.orlandi_at_gmail.com> wrote: > >> Hi, >> >> Match logic is correct. You forgot only the "explicit permit any" at the >> end. >> >> ip access 1 permit 10.10.15.0 0.0.0.255 >> ip access 1 deny 10.10.1.0 0.0.14.255 >> ip access 1 permit any >> > > > That one will block net 1,3,5,7,9,11,13 and permit net 15 > > now > if i want to give access net 1,3,5,7,9,11,13 and block net 15 > > will be like > > ip access 1 deny 10.10.15.0 0.0.0.255 > ip access 1 permit 10.10.1.0 0.0.14.255 > > i don't need to last with ip access 1 deny any as it is already > explicitly there ? I am right ? > > > > > > > > > > > > > > > > >> >> -- >> Mirco >> >> Il giorno 18/giu/2010, alle ore 16.03, Taufik Kurniawan < >> ktaufik_at_gmail.com> ha scritto: >> >> Hi, >> kindly confirm ... >> 1. I want to deny the traffic from the following networks 10.10.1.0, >> 10.10.3.0, 10.10.5.0, 10.10.7.0, 10.10.9.0, 10.10.11.0 and 10.10.13.0 with >> all /24 >> >> and I am doing this .... >> >> ip access 1 permit 10.10.15.0 0.0.0.255 >> ip access 1 deny 10.10.1.0 0.0.14.255 >> >> >> please kindly confirm, am i doing right ? >> >> thanks >> >> >> Blogs and organic groups at <http://www.ccie.net>http://www.ccie.net >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html Blogs and organic groups at http://www.ccie.netReceived on Sat Jun 19 2010 - 17:45:23 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:37 ART