Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

General question ACL - implicit deny all

There have been a number of building of access list to protect the network like Anti-Spoofing, block well-know ICMP exploits, block well-know DDOS port and so on.

We do not have to wary about it too much as the nature of the ACL is implicit deny all. What we need to do is to build an ACL to permit the preferred traffic and port (like permit www) and let the implicit deny all to do the rest of the job. The security part of it should be well taken care off.

Can some one affirm my concept.

Community Member

Re: General question ACL - implicit deny all

As in your case, you have already answered your question. You build the list the way that you want to and then the implicit "deny all" takes care of the rest.

If you send me an example of what you want to do along with a network diagram, I would be happy to take a look at this.


Cisco Employee

Re: General question ACL - implicit deny all

the problem is "how are you going to identify the good traffic ?".

It is alreayd not easy to identify attacks, than I'm curious to know how you're going to say what is good traffic.

The reason we usually do it the other way, it's because it is supposed to be easier.

BTW, I would suggest to use a firewall for security filtering. Don't rely on router ACL.

I mean, a firewall will provide you more flexibility and is really designed for traffic inspecting/filtering while an ACL is very basic.

Community Member

Re: General question ACL - implicit deny all

The answer to your question is yes and no. You will more than likely allow any into your web server. I would still put a deny above the permit, denying all inside address ranges, in the outside interface for any destination. This will help prevent spoofing.

Community Member

Re: General question ACL - implicit deny all

Of course, ACL itself is not a complete solution for security and it never is a good firewall. I will take it as front line defense against non preferred traffic. With the ACL configure to allow only http traffic it should be well deny the rest of the non permit traffic whether is telnet, icmp traffic, ftp and etc. In short the implicit deny block all other port number except port 80. Of course if attacker using port 80 vulnerability then that is beyond the scope of this topic.

CreatePlease to create content