Thats what I thought at first. But if the permit comes first, then packets with valid source addresses (a.b.c.d) get out because they pass that rule. So a packet built like: Source-> a.b.c.d Dest-> 172.17.0.0 will get out and be passed to the ISP, wasting bandwidth. Thats why I deny them first, and then do the permit later on in the list.

On Tue, 12 Aug 1997, C. Jon Larsen wrote:

...

gw-internet#show access-lists 120 Extended IP access list 120 deny ip any 10.0.0.0 0.255.255.255 log deny ip any 172.16.0.0 0.0.255.255 log deny ip any 172.17.0.0 0.0.255.255 log deny ip any 192.168.0.0 0.0.255.255 log permit ip a.b.c.0 0.0.0.255 any (27429 matches) deny ip any any log

Aren't the first 4 deny's redundant? Using access-lists, I was under the impression, there was an implicit deny at the end, such that all you'd need is a single permit line above, and optionally the last deny so you get to log violations.

------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____

Linux. +-------------------+---------------------+ | C. Jon Larsen | jlarsen@ajtech.com | | Systems Engineer | Tel: 804.353.2800 | | A&J Technologies | | |-------------------+---------------------| | http://www.ajtech.com | +-----------------------------------------+