ACL - implicit deny

Answered Question
Jan 21st, 2008
User Badges:

Hi,

Could you confirm I CANT do that :

access-list 101 deny 10.1.1.0 0.255.255.255

access-list 101 deny 10.1.2.0 0.255.255.255

access-list 102 permit any


I am worried about the implicit deny at the end ...

In fact I have a lot of subnets I would to permit to another subnet. So I was wondering if I could only deny the subnet I want and then permit all the other ones .

I hope I am clear enought .


cheers




Correct Answer by Jon Marshall about 9 years 3 months ago

Hi


access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any


Then on the L3 interface for Live


vlan10

ip access-group 101 in


** Edit - depending on how many subnets you have you may want to write the access-list differently. If you are denying Live to more subnets than you are permitting it to then you would probably rewrite the above acl as


access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.6.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 any


Jon


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
royalblues Mon, 01/21/2008 - 02:29
User Badges:
  • Green, 3000 points or more

Your access-list seems to be correct if you just want to deny the traffic from 10.1.1.0/24 and 10.1.2.0/24 and permit all other subnets


Remember that access-list are always processed in sequence.


so once the access-list reaches permit any line all the subnets will be matched and no traffic will end up hitiing the implicit deny access-list at the end.


HTH

Narayan


Jon Marshall Mon, 01/21/2008 - 02:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


I'm not sure what you are trying to do here. There are a couple of things that need explanation


1) Your denies are using access-list 101 and then your permit is using 102. Is this a typo ?


2) Your are using extended access-list numbers so you need source and destination subnets. If you just want to use one subnet as in the above statements use an access-list of 1 -> 99.


That said you can have denies in your acl and then a permit. The implicit deny comes right at the end so you can do what i think your are trying to do.


Jon

royalblues Mon, 01/21/2008 - 02:39
User Badges:
  • Green, 3000 points or more

Yes Jon is correct...


I never saw that you are using extended access-list numbers.


your access-list numbers should be same for what you are trying to do and if they are extended they need to have source as well as destination


Narayan

shrikar.dange Mon, 01/21/2008 - 02:38
User Badges:
  • Bronze, 100 points or more

hi,


Yes sure you can do this kind of configuration.

You have to give the permit any statement under ACL 101 instead of 102 then the above mentioned subnets will be denied and rest of the subnets will be permitted.

Plus use standard access-list if possible it is much easier to configure.

The inverse mask you have used is not correct here....

If you typed it the way then the second entry is meaningless all the subnets starting with 10.x.x.x will be denied!!!

Use 0.0.0.255 then the ACL will be matched for 1st 3 ocetes and if it is matched those subnets will be denied.


Use following config:


access-list 11 deny 10.1.1.0 0.0.0.255

access-list 11 deny 10.1.2.0 0.0.0.255

access-list permit any


HTH,


regards,

shri :)





trombidz1 Mon, 01/21/2008 - 02:49
User Badges:

correct i made a typo , it's acl 101

and I also made mistake with the wildcard mask.

I had a problem to understand to implicit deny at the end of any acl.


access-list 11 deny 10.1.1.0 0.0.0.255

access-list 11 deny 10.1.2.0 0.0.0.255

access-list 11 permit any

access-list 11 deny all ( implicit )


as it works with sequence , I understand now.


Many thanks to all of you



shrikar.dange Mon, 01/21/2008 - 02:54
User Badges:
  • Bronze, 100 points or more

hi

For my above post:

Here i have assumed that you have configured two access-lists as 101 and 102 & applying them as per your topology and the destination network you you have missed to type.Still the inverse mask you have configured does not make any sense!!!


One more point standard access-list filters traffic based on only source address so put that acl as close to source as possible.The extended access-list can check source ip destination ip as well as L4 info.



HTH,


regards,


shri :)


** EDIT :Hi tom sorry i was typing when you post your recent reply!!!Any ways it was nice that i was able to help you.And thank you for the rating. :)

trombidz1 Mon, 01/21/2008 - 03:17
User Badges:

Ok I explain it better and start :


Imagine I have 6 subnets ( In fact I have more and this is why I would like to start my ACL with the subnets I want to deny ...)

So :


1 for VLAN LIVE env 10.1.1.0/24

1 for VLAN UAT env 10.1.2.0/24

1 for VLAN DEV env 10.1.3.0/24

1 for VLAN DR env 10.1.4.0/24

1 for VLAN WAN env 10.1.5.0/24

1 FOR VLAN PRINTER env 10.1.6.0/24


I would like to isolate the LIVE traffic and only allow it to send data to WAN and PRINTER for exemple


so I was thinking of puting this access list for the subnet LIVE :


access-list 11 deny 10.1.2.0 0.255.255.255

access-list 11 deny 10.1.3.0 0.255.255.255

access-list 11 deny 10.1.4.0 0.255.255.255

access-list 11 permit any

access-list 11 deny all ( implicit )



In that case I stop traffic from UAT , DEV , DR and allow all the rest ( WAN , PRINTER ... )



so that should work , shouldn't it ?


Correct Answer
Jon Marshall Mon, 01/21/2008 - 03:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any


Then on the L3 interface for Live


vlan10

ip access-group 101 in


** Edit - depending on how many subnets you have you may want to write the access-list differently. If you are denying Live to more subnets than you are permitting it to then you would probably rewrite the above acl as


access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.6.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 any


Jon


trombidz1 Mon, 01/21/2008 - 03:26
User Badges:

thanks

regarding your edit , It would be easier to start with the denied sub as I have too many to allow.


Also, would it be more intelligent if I use a standard acl ?

was my wildcard mask wrong as well ?

sorry....


Jon Marshall Mon, 01/21/2008 - 03:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


For what you require you need to use extended access-lists because you are making a decision to allow or drop traffic based on the both the source and destination IP addresses.


Yes your'e inverse masks were incorrect


10.1.1.0/24 = 10.1.1.0 255.255.255.0 = inverse 10.1.1.0 0.0.0.255


Jon

Actions

This Discussion