ACL question: Explicit deny any any not working?

Unanswered Question
May 18th, 2009


I'm pretty familiar with ALCs, and understand that every access list has an explicit deny any any, so if you just have an "empty" access list it will block all traffic.

I just added two extended access lists to a physical interface, but left them empty. They don't appear to be blocking any traffic??? Are there some cases where explicit deny any any isn't present??? Is there a case where an access-lists on another interface can 'override' this ACL???

thanks, Simon

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
simonwynn Mon, 05/18/2009 - 09:00

I actually applied two access lists: one IN and one OUT. No idea what the problem is.

Here is the interface with just the IN (did also try In and OUT):

interface FastEthernet0/0

description DMZ$FW_INSIDE$$ETH-LAN$

ip address

ip access-group dmz in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

duplex auto

speed auto

no mop enabled

and the empty ACL:

ip access-list extended dmz

Jon Marshall Mon, 05/18/2009 - 09:07


The explicit dent any any is true only when the access-list is not empty. If there is at least one entry in an acl then you are correct in what you say but an empty acl will allow all traffic through.

I believe some of the earlier IOS versions did indeed block traffic with an empty acl but this is definitely no longer the case.


simonwynn Mon, 05/18/2009 - 09:51

Thanks Jon - I thought I was going crazy. A lot of online references for ACLs still say empty ACLs will block, so that's what tripped me up.


simonwynn Mon, 05/18/2009 - 09:55

One other question: Do ACLs take effect immediately, or is there any instance where I need to do something to make them take effect??? - Simon


This Discussion