Can somebody give me an example, where deny statements are needed? Why can't we just permit all the traffic according to specifications and then let the implicit deny all capture the rest?
Asked
Active
Viewed 311 times
1 Answers
7
A deny is required when you want to make an exception from a more general, subsequent permit, e.g. if you don't want a single node to access another subnet, a host, or the open Internet while all the others in the same subnet (or zone) are granted access, e.g. deny 10.0.1.99 access to anywhere else while other nodes from 10.0.1.0/24 are permitted:
deny ip 10.0.1.99 0.0.0.0 0.0.0.0 255.255.255.255
permit ip 10.0.1.0 0.0.0.255 0.0.0.0 255.255.255.255
Using permit only and relying on the ultimate, implicit deny ip any any would require many more rules.
You can also use that logic to explicitly deny traffic that you don't want and then permit everything else.
Additionallly, putting an explicit deny ip any any at the end of an ACL may be helpful for people not accustomed to reading ACLs. Also, adding the log option allows you to create log entries which the default implicit deny doesn't.
Zac67
- 81,287
- 3
- 67
- 131