cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20237
Views
30
Helpful
10
Replies

ACL - implicit deny

trombidz1
Level 1
Level 1

Hi,

Could you confirm I CANT do that :

access-list 101 deny 10.1.1.0 0.255.255.255

access-list 101 deny 10.1.2.0 0.255.255.255

access-list 102 permit any

I am worried about the implicit deny at the end ...

In fact I have a lot of subnets I would to permit to another subnet. So I was wondering if I could only deny the subnet I want and then permit all the other ones .

I hope I am clear enought .

cheers

1 Accepted Solution

Accepted Solutions

Hi

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

Then on the L3 interface for Live

vlan10

ip access-group 101 in

** Edit - depending on how many subnets you have you may want to write the access-list differently. If you are denying Live to more subnets than you are permitting it to then you would probably rewrite the above acl as

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.6.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 any

Jon

View solution in original post

10 Replies 10

royalblues
Level 10
Level 10

Your access-list seems to be correct if you just want to deny the traffic from 10.1.1.0/24 and 10.1.2.0/24 and permit all other subnets

Remember that access-list are always processed in sequence.

so once the access-list reaches permit any line all the subnets will be matched and no traffic will end up hitiing the implicit deny access-list at the end.

HTH

Narayan

Jon Marshall
Hall of Fame
Hall of Fame

Hi

I'm not sure what you are trying to do here. There are a couple of things that need explanation

1) Your denies are using access-list 101 and then your permit is using 102. Is this a typo ?

2) Your are using extended access-list numbers so you need source and destination subnets. If you just want to use one subnet as in the above statements use an access-list of 1 -> 99.

That said you can have denies in your acl and then a permit. The implicit deny comes right at the end so you can do what i think your are trying to do.

Jon

Yes Jon is correct...

I never saw that you are using extended access-list numbers.

your access-list numbers should be same for what you are trying to do and if they are extended they need to have source as well as destination

Narayan

shrikar.dange
Level 1
Level 1

hi,

Yes sure you can do this kind of configuration.

You have to give the permit any statement under ACL 101 instead of 102 then the above mentioned subnets will be denied and rest of the subnets will be permitted.

Plus use standard access-list if possible it is much easier to configure.

The inverse mask you have used is not correct here....

If you typed it the way then the second entry is meaningless all the subnets starting with 10.x.x.x will be denied!!!

Use 0.0.0.255 then the ACL will be matched for 1st 3 ocetes and if it is matched those subnets will be denied.

Use following config:

access-list 11 deny 10.1.1.0 0.0.0.255

access-list 11 deny 10.1.2.0 0.0.0.255

access-list permit any

HTH,

regards,

shri :)

correct i made a typo , it's acl 101

and I also made mistake with the wildcard mask.

I had a problem to understand to implicit deny at the end of any acl.

access-list 11 deny 10.1.1.0 0.0.0.255

access-list 11 deny 10.1.2.0 0.0.0.255

access-list 11 permit any

access-list 11 deny all ( implicit )

as it works with sequence , I understand now.

Many thanks to all of you

hi

For my above post:

Here i have assumed that you have configured two access-lists as 101 and 102 & applying them as per your topology and the destination network you you have missed to type.Still the inverse mask you have configured does not make any sense!!!

One more point standard access-list filters traffic based on only source address so put that acl as close to source as possible.The extended access-list can check source ip destination ip as well as L4 info.

HTH,

regards,

shri :)

** EDIT :Hi tom sorry i was typing when you post your recent reply!!!Any ways it was nice that i was able to help you.And thank you for the rating. :)

Ok I explain it better and start :

Imagine I have 6 subnets ( In fact I have more and this is why I would like to start my ACL with the subnets I want to deny ...)

So :

1 for VLAN LIVE env 10.1.1.0/24

1 for VLAN UAT env 10.1.2.0/24

1 for VLAN DEV env 10.1.3.0/24

1 for VLAN DR env 10.1.4.0/24

1 for VLAN WAN env 10.1.5.0/24

1 FOR VLAN PRINTER env 10.1.6.0/24

I would like to isolate the LIVE traffic and only allow it to send data to WAN and PRINTER for exemple

so I was thinking of puting this access list for the subnet LIVE :

access-list 11 deny 10.1.2.0 0.255.255.255

access-list 11 deny 10.1.3.0 0.255.255.255

access-list 11 deny 10.1.4.0 0.255.255.255

access-list 11 permit any

access-list 11 deny all ( implicit )

In that case I stop traffic from UAT , DEV , DR and allow all the rest ( WAN , PRINTER ... )

so that should work , shouldn't it ?

Hi

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

Then on the L3 interface for Live

vlan10

ip access-group 101 in

** Edit - depending on how many subnets you have you may want to write the access-list differently. If you are denying Live to more subnets than you are permitting it to then you would probably rewrite the above acl as

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.6.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 any

Jon

thanks

regarding your edit , It would be easier to start with the denied sub as I have too many to allow.

Also, would it be more intelligent if I use a standard acl ?

was my wildcard mask wrong as well ?

sorry....

Hi

For what you require you need to use extended access-lists because you are making a decision to allow or drop traffic based on the both the source and destination IP addresses.

Yes your'e inverse masks were incorrect

10.1.1.0/24 = 10.1.1.0 255.255.255.0 = inverse 10.1.1.0 0.0.0.255

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco