How to use access list permit statements while creating the access lists
While creating an access list, we have to make sure that we are using the correct permit and deny statements. In case we have misconfigured the statements then the access list will not work as required.
It is very important to place the statements in right place to make the access list work properly.
In every access list, most of the times we start the configuration with deny statements and then we have to permit everything that we don’t want to restrict.
We have to use the permit statement because there is an explicit invisible deny at the end of every access list on the Cisco device which means that everything will be denied if we have not specifically permitted it in the permit statements so ‘permit any’ statements enables all traffic that we don’t want to block.
As the access list statements are read from top to bottom, the ‘access list permit any’ statement allows all traffic before it can be blocked by the access list with an invisible deny statement.
Let us discuss the following commands with permit rules.
The below permit statement is for a standard access list in which any refers to any source address so this command will allow traffic from all sources.
access list permit any
Below ‘permit statement’ is from the extended access list where traffic is permitted from any source to any destination.
access list 100 permit ip any any
There is one scenario in which we don’t use permit any statements like as below
If we don’t want to allow all traffic but only a few hosts then we can use permit statements for that specific hosts and deny statements are not required as invisible deny will block the rest of the traffic.
E.g. – In one organization of 500 hosts, only one host should be allowed to telnet into the router then we will enter the permit statement for that host, and no other configuration is required as invisible deny will block the traffic from every other host.
In another case, we want 480 hosts to access the internet except for the 20 hosts. To achieve this, we will enter deny statement in the access list to block 20 hosts from accessing the internet however as invisible deny will block the access to the rest of the hosts so to prevent that, we have to enter the access list to permit any statement.