cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2539
Views
0
Helpful
6
Replies

ACL question: Explicit deny any any not working?

simonwynn
Level 1
Level 1

Hi,

I'm pretty familiar with ALCs, and understand that every access list has an explicit deny any any, so if you just have an "empty" access list it will block all traffic.

I just added two extended access lists to a physical interface, but left them empty. They don't appear to be blocking any traffic??? Are there some cases where explicit deny any any isn't present??? Is there a case where an access-lists on another interface can 'override' this ACL???

thanks, Simon

6 Replies 6

bretjaquish
Level 3
Level 3

You might want to check which way the ACL is pointing. (IN or OUT of an interface)

I actually applied two access lists: one IN and one OUT. No idea what the problem is.

Here is the interface with just the IN (did also try In and OUT):

interface FastEthernet0/0

description DMZ$FW_INSIDE$$ETH-LAN$

ip address 192.168.2.1 255.255.255.0

ip access-group dmz in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

duplex auto

speed auto

no mop enabled

and the empty ACL:

ip access-list extended dmz

Jon Marshall
Hall of Fame
Hall of Fame

Simon

The explicit dent any any is true only when the access-list is not empty. If there is at least one entry in an acl then you are correct in what you say but an empty acl will allow all traffic through.

I believe some of the earlier IOS versions did indeed block traffic with an empty acl but this is definitely no longer the case.

Jon

Thanks Jon - I thought I was going crazy. A lot of online references for ACLs still say empty ACLs will block, so that's what tripped me up.

Simon

One other question: Do ACLs take effect immediately, or is there any instance where I need to do something to make them take effect??? - Simon

They take effect as soon as you apply them to the interface.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco