RE: Cisco access list technique

Tue, 01 May 2001 08:18:53 -0700

David,

 

you got backwardz.....

line 2 will never be evaluated as the first time thru ALL IP packets

will get dropped.

 

please enlighten us as to how any web traffic would get thru?

 

piranha.....

>From: "David Ishmael" <[EMAIL PROTECTED]>
>Reply-To: <[EMAIL PROTECTED]>
>To: "'Dave Vogler'" <[EMAIL PROTECTED]>, "'firewall discussion list'" <[EMAIL PROTECTED]>
>Subject: RE: Cisco access list technique
>Date: Tue, 1 May 2001 10:28:10 -0400
>
>Dave,
>
>Cisco ACL's work in a top down, first match wins case. For example:
>
>permit ip any any
>deny ip any any
>
>In the above example, nothing would get denied because all packets match the
>first rule. The rule of thumb is to deny everything, then permit only what
>you want:
>
>deny ip any any
>permit tcp any any eq 80
>
>Try to avoid using the logging function whenever you can. I usually use it
>when verifying that the rules are working correctly then I remove the
>logging. Logging as well as packet matching can put a heavy strain on
>low-end routers with minimal amounts of RAM. The performance hit I saw was
>about 5-15% load on my router with two T1's fully loaded with traffic. Hope
>this helps...
>
>David Ishmael, CCNA, IVCP
>Senior Network Management Engineer
>Windward Consulting Group, Inc.
>Phone: (703) 283-7564
>Pager: (888) 910-7094
>eFax: (425) 969-4707
>Fax: (703) 351-9428
>mailto:[EMAIL PROTECTED]
>mailto:[EMAIL PROTECTED]
>
>
>
>
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Dave Vogler
>Sent: Tuesday, May 01, 2001 9:41 AM
>To: firewall discussion list
>Subject: Cisco access list technique
>
>
>Hi all,
>
>I'm a bit of a newbie to my Cisco router, but I'm attempting to set up
>an access list to firewall my LAN from the internet.
>Is there a preferred order for my permit and deny statements? I've
>heard that its best to put all your permit statements first, then your
>denys.... will this affect throughput speed? Are packets substantially
>slowed down because the router has to examine every one?
>And if an access list implicitly denies all that are not permitted, why
>even bother with deny statements?
>
>Thanks in advance,
>
>Dave Vogler
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]

Get your FREE download of MSN Explorer at http://explorer.msn.com

- [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]

Reply via email to