Access-list question,

Unanswered Question
Jul 16th, 2009
User Badges:

I have a line on my access-list which permits access to a whole subnet.

My question is, is it possible to use deny lines within the access list to deny access to certain host addresses within this subnet.

I don't think it is.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jon Marshall Thu, 07/16/2009 - 05:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Yes it is as long as the deny lines are before the permit line in your acl ie.

access-list 101 deny tcp any host eq www

access-list 101 deny tcp any host eq https

access-list 101 permit ip any

the above acl would deny any source address to access on port 80 and on port 443.

All other ports can be accessed on the above 2 servers and all ports can be accessed on all other servers in the network.


Rick Morris Thu, 07/16/2009 - 11:44
User Badges:
  • Silver, 250 points or more

ACL's work in a top down order.

If the ACL is not matched at line 1 then it moves to line 2 and so on. At the end of the acl there is an implied deny any any by default.

So if you need to specify specific denies then as Jon pointed out do so at the top of the acl, then permit everything else after. If you permit everything at the top then deny you will never get to the deny because the ACL matches at line one and sends the traffic.


This Discussion