Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL - implicit deny

Hi,

Could you confirm I CANT do that :

access-list 101 deny 10.1.1.0 0.255.255.255

access-list 101 deny 10.1.2.0 0.255.255.255

access-list 102 permit any

I am worried about the implicit deny at the end ...

In fact I have a lot of subnets I would to permit to another subnet. So I was wondering if I could only deny the subnet I want and then permit all the other ones .

I hope I am clear enought .

cheers

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL - implicit deny

Hi

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

Then on the L3 interface for Live

vlan10

ip access-group 101 in

** Edit - depending on how many subnets you have you may want to write the access-list differently. If you are denying Live to more subnets than you are permitting it to then you would probably rewrite the above acl as

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.6.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 any

Jon

10 REPLIES

Re: ACL - implicit deny

Your access-list seems to be correct if you just want to deny the traffic from 10.1.1.0/24 and 10.1.2.0/24 and permit all other subnets

Remember that access-list are always processed in sequence.

so once the access-list reaches permit any line all the subnets will be matched and no traffic will end up hitiing the implicit deny access-list at the end.

HTH

Narayan

Hall of Fame Super Blue

Re: ACL - implicit deny

Hi

I'm not sure what you are trying to do here. There are a couple of things that need explanation

1) Your denies are using access-list 101 and then your permit is using 102. Is this a typo ?

2) Your are using extended access-list numbers so you need source and destination subnets. If you just want to use one subnet as in the above statements use an access-list of 1 -> 99.

That said you can have denies in your acl and then a permit. The implicit deny comes right at the end so you can do what i think your are trying to do.

Jon

Re: ACL - implicit deny

Yes Jon is correct...

I never saw that you are using extended access-list numbers.

your access-list numbers should be same for what you are trying to do and if they are extended they need to have source as well as destination

Narayan

Re: ACL - implicit deny

hi,

Yes sure you can do this kind of configuration.

You have to give the permit any statement under ACL 101 instead of 102 then the above mentioned subnets will be denied and rest of the subnets will be permitted.

Plus use standard access-list if possible it is much easier to configure.

The inverse mask you have used is not correct here....

If you typed it the way then the second entry is meaningless all the subnets starting with 10.x.x.x will be denied!!!

Use 0.0.0.255 then the ACL will be matched for 1st 3 ocetes and if it is matched those subnets will be denied.

Use following config:

access-list 11 deny 10.1.1.0 0.0.0.255

access-list 11 deny 10.1.2.0 0.0.0.255

access-list permit any

HTH,

regards,

shri :)

New Member

Re: ACL - implicit deny

correct i made a typo , it's acl 101

and I also made mistake with the wildcard mask.

I had a problem to understand to implicit deny at the end of any acl.

access-list 11 deny 10.1.1.0 0.0.0.255

access-list 11 deny 10.1.2.0 0.0.0.255

access-list 11 permit any

access-list 11 deny all ( implicit )

as it works with sequence , I understand now.

Many thanks to all of you

Re: ACL - implicit deny

hi

For my above post:

Here i have assumed that you have configured two access-lists as 101 and 102 & applying them as per your topology and the destination network you you have missed to type.Still the inverse mask you have configured does not make any sense!!!

One more point standard access-list filters traffic based on only source address so put that acl as close to source as possible.The extended access-list can check source ip destination ip as well as L4 info.

HTH,

regards,

shri :)

** EDIT :Hi tom sorry i was typing when you post your recent reply!!!Any ways it was nice that i was able to help you.And thank you for the rating. :)

New Member

Re: ACL - implicit deny

Ok I explain it better and start :

Imagine I have 6 subnets ( In fact I have more and this is why I would like to start my ACL with the subnets I want to deny ...)

So :

1 for VLAN LIVE env 10.1.1.0/24

1 for VLAN UAT env 10.1.2.0/24

1 for VLAN DEV env 10.1.3.0/24

1 for VLAN DR env 10.1.4.0/24

1 for VLAN WAN env 10.1.5.0/24

1 FOR VLAN PRINTER env 10.1.6.0/24

I would like to isolate the LIVE traffic and only allow it to send data to WAN and PRINTER for exemple

so I was thinking of puting this access list for the subnet LIVE :

access-list 11 deny 10.1.2.0 0.255.255.255

access-list 11 deny 10.1.3.0 0.255.255.255

access-list 11 deny 10.1.4.0 0.255.255.255

access-list 11 permit any

access-list 11 deny all ( implicit )

In that case I stop traffic from UAT , DEV , DR and allow all the rest ( WAN , PRINTER ... )

so that should work , shouldn't it ?

Hall of Fame Super Blue

Re: ACL - implicit deny

Hi

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

Then on the L3 interface for Live

vlan10

ip access-group 101 in

** Edit - depending on how many subnets you have you may want to write the access-list differently. If you are denying Live to more subnets than you are permitting it to then you would probably rewrite the above acl as

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.6.0 0.0.0.255

access-list 101 deny ip 10.1.1.0 0.0.0.255 any

Jon

New Member

Re: ACL - implicit deny

thanks

regarding your edit , It would be easier to start with the denied sub as I have too many to allow.

Also, would it be more intelligent if I use a standard acl ?

was my wildcard mask wrong as well ?

sorry....

Hall of Fame Super Blue

Re: ACL - implicit deny

Hi

For what you require you need to use extended access-lists because you are making a decision to allow or drop traffic based on the both the source and destination IP addresses.

Yes your'e inverse masks were incorrect

10.1.1.0/24 = 10.1.1.0 255.255.255.0 = inverse 10.1.1.0 0.0.0.255

Jon

7794
Views
25
Helpful
10
Replies