If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?

Last Updated on April 28, 2021 by Admin

If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?

  • permit ip any any
  • permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
  • permit tcp 172.16.0.0 0.0.3.255 any established
  • permit udp any any range 10000 20000
  • deny udp any host 172.16.1.5 eq snmptrap
  • deny tcp any any eq telnet
    Answers Explanation & Hints:
    A best practice for configuring an extended ACL is to ensure that the most specific ACE is placed higher in the ACL. Consider the two permit UDP statements. If both of these were in an ACL, the SNMP ACE is more specific than the UDP statement that permits a range of 10,001 UDP port numbers. The SNMP ACE would be entered before the other UDP ACE. The ACEs from most specific to least specific are as follows: permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
    deny udp any host 172.16.1.5 eq snmptrap
    permit tcp 172.16.0.0 0.0.3.255 any established
    deny tcp any any eq telnet
    permit udp any any range 10000 20000
    permit ip any any
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments