Access List Question?

[grasscutter]

Hello There,

I have a question about access-lists.

I have a running config of a router and i have included part of the access-list as shown below...

access-list 100 deny ip 198.33.20.0 0.0.0.255 any
access-list 100 deny ip host 198.33.20.174 197.33.20.0 0.0.0.255
access-list 100 permit ip host 198.33.20.174 any eq www
access-list 100 permit ip host 198.33.20.174 any

...This is the correct order of commands and i believe that since line 1 is set to deny access for any pc in the 198.33.20.0 network to anywhere surely this means that lines 2,3 and 4 are not used!

My question is since ip access from any device on the 198.22.20.0 network has been blocked on line 1 does this mean that line 3 and 4 permitting ip host 198.22.20.174

http://www and

any access will not even been reached and can therefore be deleted.

Regards,

Grasscutter.

 

[KiscoKid]

As you say, access lists work sequentially. All packets from the network 198.33.20.0/24 network will be matched against the first deny statement thus making all the other statements relating to this network obsolete.

Your options are therefore to modify ACL 100 to just have the single deny statement (line 1) or jig the access list such that the more specific deny (line 2) and the permits (lines 3 and 4) are placed above line 1 (depends if you want the 198.33.20.0/24 to have any access at all on the device in question)