Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list question,

I have a line on my access-list which permits access to a whole subnet.

My question is, is it possible to use deny lines within the access list to deny access to certain host addresses within this subnet.

I don't think it is.

Hall of Fame Super Blue

Re: Access-list question,


Yes it is as long as the deny lines are before the permit line in your acl ie.

access-list 101 deny tcp any host eq www

access-list 101 deny tcp any host eq https

access-list 101 permit ip any

the above acl would deny any source address to access on port 80 and on port 443.

All other ports can be accessed on the above 2 servers and all ports can be accessed on all other servers in the network.



Re: Access-list question,

ACL's work in a top down order.

If the ACL is not matched at line 1 then it moves to line 2 and so on. At the end of the acl there is an implied deny any any by default.

So if you need to specify specific denies then as Jon pointed out do so at the top of the acl, then permit everything else after. If you permit everything at the top then deny you will never get to the deny because the ACL matches at line one and sends the traffic.

CreatePlease login to create content