IP Access-Lists, or rather Cisco Access-lists in general, are parsed from top to bottom, until a match is found. The criteria used, is "first match". Given your examples: ip access-list 10 deny host 192.168.1.19 ip access-list 10 permit any A packet comes to the list from 10.0.0.1 -- first line is read, it is not from 192.168.1.19.. no match. So the next line is read. The packet is permitted. Same list, but a packet enters from 192.168.1.19 -- first line is read, it IS from 192.168.1.19.. it matches. Packet denied, dumped in the bit bucket, end of story. The next line is never looked at. This is why the order of your rules in the access-list is important.. as is the placement of the list. Regards, Trevor Corness, MCSE MCP+I CCNA -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Clay Stuckey Sent: August 23, 2000 8:25 AM To: Group Study Subject: what criteria does a access-list use when a there is a contradiction? more specifically with the following: ip access-list 10 deny host 192.168.1.19 ip access-list 10 permit any ip access-group 10 in I was recently told that the last line overrides any previous command. According to the Transcender info, the most restrictive security would be taken. How bout something as obvious as this: ip access-list 10 deny host 192.168.1.19 ip access-list 10 permit host 192.168.1.19 ip access-group 10 in Thanks, Clay Stuckey - MCSE for my resume, go to http://24.17.223.89/clay/clayres3.doc ___________________________________ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
