User Manual
ACL Basics
372 Enterasys X-Pedition User Reference Manual
If you were to reverse the order of the two rules:
all TCP packets would be allowed to go through, including traffic from subnet 10.2.0.0/16. This is
because TCP traffic coming from 10.2.0.0/16 would match the first rule and be allowed to go
through. The second rule would not be looked at since the first match determines the action taken
on the packet.
Implicit Deny Rule
At the end of each ACL, the system automatically appends an implicit deny rule. This implicit deny
rule denies all traffic. For a packet that doesn’t match any of the user-specified rules, the implicit
deny rule acts as a catch-all rule. All packets match this rule.
This is done for security reasons. If an ACL is misconfigured, and a packet that should be allowed
to go through is blocked because of the implicit deny rule, the worst that could happen is
inconvenience. On the other hand, if a packet that should not be allowed to go through is instead
sent through, there is now a security breach. Thus, the implicit deny rule serves as a line of defense
against accidental misconfiguration of ACLs.
To illustrate how the implicit deny rule is used, consider the following ACL:
With the implicit deny rule, this ACL actually has three rules:
If a packet comes in and doesn't match the first two rules, the packet is dropped. This is because the
third rule (the implicit deny rule) matches all packets.
Although the implicit deny rule may seem obvious in the above example, this is not always the
case. For example, consider the following ACL rule:
acl 101 permit tcp any any any any
acl 101 deny tcp 10.2.0.0/16 any any any
acl 101 permit ip 1.2.3.4/24
acl 101 permit ip 4.3.2.1/24 any nntp
acl 101 permit ip 1.2.3.4/24 any any any
acl 101 permit ip 4.3.2.1/24 any nntp any
acl 101 deny any any any any any
acl 102 deny ip 10.1.20.0/24 any any any