Access-list question,

Unanswered Question
Jul 16th, 2009
User Badges:

I have a line on my access-list which permits access to a whole subnet.

My question is, is it possible to use deny lines within the access list to deny access to certain host addresses within this subnet.

I don't think it is.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Thu, 07/16/2009 - 05:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Darren


Yes it is as long as the deny lines are before the permit line in your acl ie.


access-list 101 deny tcp any host 192.168.5.10 eq www

access-list 101 deny tcp any host 192.168.5.11 eq https

access-list 101 permit ip any 192.168.5.0 0.0.0.255


the above acl would deny any source address to access 192.168.5.10 on port 80 and 192.168.5.11 on port 443.


All other ports can be accessed on the above 2 servers and all ports can be accessed on all other servers in the 192.168.5.0/24 network.


Jon

Rick Morris Thu, 07/16/2009 - 11:44
User Badges:
  • Silver, 250 points or more

ACL's work in a top down order.

If the ACL is not matched at line 1 then it moves to line 2 and so on. At the end of the acl there is an implied deny any any by default.


So if you need to specify specific denies then as Jon pointed out do so at the top of the acl, then permit everything else after. If you permit everything at the top then deny you will never get to the deny because the ACL matches at line one and sends the traffic.

Actions

This Discussion