Access List for router

Unanswered Question
Oct 5th, 2009
User Badges:
  • Silver, 250 points or more

If write a Extended or Standard ACL on a router , mentioning 5 lines including deny or permit ip traffic, at the end of ACL if i forget to write permit ip any any . whether it will assign deny ip any any as default command at the end of ACL or permit ip any any as a default command .

In firewall the ACL at last as a default is deny ip any any . wht is default in case of router.Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Hitesh Vinzoda Mon, 10/05/2009 - 21:56
User Badges:
  • Silver, 250 points or more

It doesnt matter whether it is a router, switch or firewall, whenever you create an ACL there is always implicit "deny ip any any" at the end.

Even if you add permit ip any any at the end of the ACL. There will be implicit deny ip any any following it.


H Vinzoda

Peter Paluch Mon, 10/05/2009 - 21:59
User Badges:
  • Cisco Employee,

Hello Santhoshkumar,

At the end of every ACL, be it on router, firewall or a switch manufactured by Cisco, there is an implicit (invisible) deny any clause. This is simply how the ACLs are implemented throughout the Cisco product portfolio. Any ACL is by default of the form "everything that is not permitted explicitely will be dropped implicitely".

Best regards,


Wouter Prins Thu, 10/08/2009 - 08:30
User Badges:

hi sanvaishu,

the default is implicit deny for acl's no matter what types they are. One of the reasons why you would want to add a deny any any would be for a 'log' statement, so you can actually see whats being dropped.


This Discussion