>more specifically with the following:
>
>
>ip access-list 10 deny host 192.168.1.19
>ip access-list 10 permit any
>ip access-group 10 in
this will deny packets sourced from the host 192.168.1.19 and will allow the
rest to pass through ...
>I was recently told that the last line overrides any previous command.
>According to the Transcender info, the most restrictive security would be
>taken.
the last line is for applying the access-list to an interface and if you are
talking about the line before this access group then that does permit
everything but keep this thing in mind that access lists are always checked
sequentially. If a match occurs at any line then the appropriate action is
taken and the list is no longer traversed. So in this case packets with the
source ip address of 192.168.1.19 will match the first line and get denied
immediately. Others will not match the first line and will definitely match
the second as it is meant to match every packet so will be permitted.
>How bout something as obvious as this:
>
>ip access-list 10 deny host 192.168.1.19
>ip access-list 10 permit host 192.168.1.19
>ip access-group 10 in
this will disallow everything because there is an implicit deny all at the
end of an access list. Although you are permitting host 192.168.1.19 in the
second line but here also the sequential nature of the access list prevails;
as a consequence the packets sourced by this host will be denied.
hope this helps
Regards
Atif
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
