ACL - implicit deny

Answered Question
Jan 21st, 2008

Hi,

Could you confirm I CANT do that :

access-list 101 deny 10.1.1.0 0.255.255.255

access-list 101 deny 10.1.2.0 0.255.255.255

access-list 102 permit any

I am worried about the implicit deny at the end ...

In fact I have a lot of subnets I would to permit to another subnet. So I was wondering if I could only deny the subnet I want and then permit all the other ones .

I hope I am clear enought .

cheers

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 3 months ago

Hi

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

Then on the L3 interface for Live

vlan10

ip access-group 101 in

** Edit - depending on how many subnets you have you may want to write the access-list differently. If you are denying Live to more subnets than you are permitting it to then you would probably rewrite the above acl as

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.6.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 any

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (6 ratings)
royalblues Mon, 01/21/2008 - 02:29

Your access-list seems to be correct if you just want to deny the traffic from 10.1.1.0/24 and 10.1.2.0/24 and permit all other subnets

Remember that access-list are always processed in sequence.

so once the access-list reaches permit any line all the subnets will be matched and no traffic will end up hitiing the implicit deny access-list at the end.

HTH

Narayan

Jon Marshall Mon, 01/21/2008 - 02:32

Hi

I'm not sure what you are trying to do here. There are a couple of things that need explanation

1) Your denies are using access-list 101 and then your permit is using 102. Is this a typo ?

2) Your are using extended access-list numbers so you need source and destination subnets. If you just want to use one subnet as in the above statements use an access-list of 1 -> 99.

That said you can have denies in your acl and then a permit. The implicit deny comes right at the end so you can do what i think your are trying to do.

Jon

royalblues Mon, 01/21/2008 - 02:39

Yes Jon is correct...

I never saw that you are using extended access-list numbers.

your access-list numbers should be same for what you are trying to do and if they are extended they need to have source as well as destination

Narayan

shrikar.dange Mon, 01/21/2008 - 02:38

hi,

Yes sure you can do this kind of configuration.

You have to give the permit any statement under ACL 101 instead of 102 then the above mentioned subnets will be denied and rest of the subnets will be permitted.

Plus use standard access-list if possible it is much easier to configure.

The inverse mask you have used is not correct here....

If you typed it the way then the second entry is meaningless all the subnets starting with 10.x.x.x will be denied!!!

Use 0.0.0.255 then the ACL will be matched for 1st 3 ocetes and if it is matched those subnets will be denied.

Use following config:

access-list 11 deny 10.1.1.0 0.0.0.255

access-list 11 deny 10.1.2.0 0.0.0.255

access-list permit any

HTH,

regards,

shri :)

trombidz1 Mon, 01/21/2008 - 02:49

correct i made a typo , it's acl 101

and I also made mistake with the wildcard mask.

I had a problem to understand to implicit deny at the end of any acl.

access-list 11 deny 10.1.1.0 0.0.0.255

access-list 11 deny 10.1.2.0 0.0.0.255

access-list 11 permit any

access-list 11 deny all ( implicit )

as it works with sequence , I understand now.

Many thanks to all of you

shrikar.dange Mon, 01/21/2008 - 02:54

hi

For my above post:

Here i have assumed that you have configured two access-lists as 101 and 102 & applying them as per your topology and the destination network you you have missed to type.Still the inverse mask you have configured does not make any sense!!!

One more point standard access-list filters traffic based on only source address so put that acl as close to source as possible.The extended access-list can check source ip destination ip as well as L4 info.

HTH,

regards,

shri :)

** EDIT :Hi tom sorry i was typing when you post your recent reply!!!Any ways it was nice that i was able to help you.And thank you for the rating. :)

trombidz1 Mon, 01/21/2008 - 03:17

Ok I explain it better and start :

Imagine I have 6 subnets ( In fact I have more and this is why I would like to start my ACL with the subnets I want to deny ...)

So :

1 for VLAN LIVE env 10.1.1.0/24

1 for VLAN UAT env 10.1.2.0/24

1 for VLAN DEV env 10.1.3.0/24

1 for VLAN DR env 10.1.4.0/24

1 for VLAN WAN env 10.1.5.0/24

1 FOR VLAN PRINTER env 10.1.6.0/24

I would like to isolate the LIVE traffic and only allow it to send data to WAN and PRINTER for exemple

so I was thinking of puting this access list for the subnet LIVE :

access-list 11 deny 10.1.2.0 0.255.255.255

access-list 11 deny 10.1.3.0 0.255.255.255

access-list 11 deny 10.1.4.0 0.255.255.255

access-list 11 permit any

access-list 11 deny all ( implicit )

In that case I stop traffic from UAT , DEV , DR and allow all the rest ( WAN , PRINTER ... )

so that should work , shouldn't it ?

Correct Answer
Jon Marshall Mon, 01/21/2008 - 03:20

Hi

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

Then on the L3 interface for Live

vlan10

ip access-group 101 in

** Edit - depending on how many subnets you have you may want to write the access-list differently. If you are denying Live to more subnets than you are permitting it to then you would probably rewrite the above acl as

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.6.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 any

Jon

trombidz1 Mon, 01/21/2008 - 03:26

thanks

regarding your edit , It would be easier to start with the denied sub as I have too many to allow.

Also, would it be more intelligent if I use a standard acl ?

was my wildcard mask wrong as well ?

sorry....

Jon Marshall Mon, 01/21/2008 - 03:29

Hi

For what you require you need to use extended access-lists because you are making a decision to allow or drop traffic based on the both the source and destination IP addresses.

Yes your'e inverse masks were incorrect

10.1.1.0/24 = 10.1.1.0 255.255.255.0 = inverse 10.1.1.0 0.0.0.255

Jon

Actions

Login or Register to take actions

This Discussion

Posted January 21, 2008 at 2:25 AM
Stats:
Replies:10 Avg. Rating:5
Views:2635 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
155
77
70
69
50