Hi John,
Cisco IOS Access Lists follow a "first match" rule. Processing of the list
exits at the first match. This typically means a 'top down' design, and
there is an understood 'deny all' at the end of each list. So they are
implicitly 'deny all', unless specifically permitted.
You can have two lists applied on an interface; one inbound, and one
outbound. I think in general usage it is one large access list per
interface.
Here are some good web pages with access-list discussion for reference:
Increasing Security on IP Networks
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm
Improving Security on Cisco Routers
http://www.cisco.com/warp/public/707/21.html
Characterizing and Tracing Packet Floods using Cisco Routers
http://www.cisco.com/warp/public/707/22.html
I hope that helps,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
At 09:27 AM 9/28/1999 -0500, [EMAIL PROTECTED] wrote:
>I'm modifying the access lists on a couple of my Cisco routers
>and have a question/problem I couldn't locate on the Cisco web
>site.
>
>I'm trying the approach of denying all, and then only allowing the
>ports I need.
>
>Do the access lists read from top down? i.e. put the allow statements
>first, and then the deny any at the end? Can you have multiple
>access lists on the same interface? Which takes precedence when
>there is a conflict? Is it standard practice to have one access list
>(maybe large) per interface?
>
>Thanks,
>
>John Monahan
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
