Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list question,

I have a line on my access-list which permits access to a whole subnet.

My question is, is it possible to use deny lines within the access list to deny access to certain host addresses within this subnet.

I don't think it is.

2 REPLIES
Hall of Fame Super Blue

Re: Access-list question,

Darren

Yes it is as long as the deny lines are before the permit line in your acl ie.

access-list 101 deny tcp any host 192.168.5.10 eq www

access-list 101 deny tcp any host 192.168.5.11 eq https

access-list 101 permit ip any 192.168.5.0 0.0.0.255

the above acl would deny any source address to access 192.168.5.10 on port 80 and 192.168.5.11 on port 443.

All other ports can be accessed on the above 2 servers and all ports can be accessed on all other servers in the 192.168.5.0/24 network.

Jon

Silver

Re: Access-list question,

ACL's work in a top down order.

If the ACL is not matched at line 1 then it moves to line 2 and so on. At the end of the acl there is an implied deny any any by default.

So if you need to specify specific denies then as Jon pointed out do so at the top of the acl, then permit everything else after. If you permit everything at the top then deny you will never get to the deny because the ACL matches at line one and sends the traffic.

109
Views
4
Helpful
2
Replies
CreatePlease login to create content