As a general rule, when working with Access Control Lists (ACLs), the last line of the file should...
-
Contain a full stop[Explicitly deny].
-
Implicitly allow all.
-
Be an implicit deny.
-
Only allow you.
EXPLANATION
Explicitly deny all traffic with an EtherType ACE, then IP and ARP traffic is denied; only physical protocol traffic, such as auto-negotiation, is still allowed.
The file can contain blank lines.
As the last rule a general ban is inserted automatically.
To make it obvious, an explicit deny should be entered anyway as the last rule. The rules are checked sequentially from the “top down”. The first relevant rule determines the result (“first match”).
0 comments:
Post a Comment