https://community.cisco.com/t5/network-security/acl-s-top-to-bottom/m-p/5272211#M1120101 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/199267">@sir_yrwins</a>&nbsp;</P> <P>you need to consolidate all the rules into a single ACL instead of applying multiple separate ACLs.</P> <P>routerA(config)#access-list 100 deny ip 0.0.0.0 0.255.255.255 any <BR />routerA(config)#access-list 100 deny ip 10.16.1.0 0.0.0.255 any <BR />routerA(config)#access-list 100 permit ip any any&nbsp;<BR />routerA(config)#interface Gi/0/0 <BR />routerA(config-if)#ip access-group 100 in</P> <P data-start="1139" data-end="1356">Now, the router will evaluate packets against <STRONG data-start="1185" data-end="1201">ACL 100 only</STRONG>, processing rules in order. It will first block any traffic from 0.0.0.0/8, then block traffic from 10.16.1.0/24, and finally allow everything else.</P> <P data-start="1358" data-end="1596" data-is-last-node="" data-is-only-node="">The key takeaway here is that you can only have one ACL per interface per direction.</P> <P data-start="1358" data-end="1596" data-is-last-node="" data-is-only-node="">&nbsp;</P> <P data-start="1358" data-end="1596" data-is-last-node="" data-is-only-node="">&nbsp;</P> Mon, 17 Mar 2025 21:38:50 GMT M02@rt37 2025-03-17T21:38:50Z https://community.cisco.com/t5/network-security/acl-s-top-to-bottom/m-p/5272208#M1120100 <P>internet-----&gt; Gi/0/0&nbsp;</P><P>routerA(config)#access-list 100 deny ip 0.0.0.0 0.255.255.255 any</P><P>routerA(config)#access-list 101 deny ip 10.16.1.0 0.0.0.255 any</P><P>routerA(config)#access-list 102 permit ip 10.16.1.0 0.0.0.255 any</P><P>routerA(config)#interface Gi/0/0</P><P>routerA(config-if)#ip access-gorup 100 in</P><P>routerA(config-if)#ip access-gorup 101 in</P><P>routerA(config-if)#ip access-gorup 102 in</P><P>this were I am lost ( why all traffic destined for the&nbsp;10.16.1.0 /24 network will be allowed)</P><P>why rule 101 (deny) is been ignored. the packet (rules) is read from top to bottom! and it read rule 101 is for deny so it drops, before I can read 102?</P><P>&nbsp;</P> Mon, 17 Mar 2025 21:31:19 GMT https://community.cisco.com/t5/network-security/acl-s-top-to-bottom/m-p/5272208#M1120100 sir_yrwins 2025-03-17T21:31:19Z https://community.cisco.com/t5/network-security/acl-s-top-to-bottom/m-p/5272211#M1120101 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/199267">@sir_yrwins</a>&nbsp;</P> <P>you need to consolidate all the rules into a single ACL instead of applying multiple separate ACLs.</P> <P>routerA(config)#access-list 100 deny ip 0.0.0.0 0.255.255.255 any <BR />routerA(config)#access-list 100 deny ip 10.16.1.0 0.0.0.255 any <BR />routerA(config)#access-list 100 permit ip any any&nbsp;<BR />routerA(config)#interface Gi/0/0 <BR />routerA(config-if)#ip access-group 100 in</P> <P data-start="1139" data-end="1356">Now, the router will evaluate packets against <STRONG data-start="1185" data-end="1201">ACL 100 only</STRONG>, processing rules in order. It will first block any traffic from 0.0.0.0/8, then block traffic from 10.16.1.0/24, and finally allow everything else.</P> <P data-start="1358" data-end="1596" data-is-last-node="" data-is-only-node="">The key takeaway here is that you can only have one ACL per interface per direction.</P> <P data-start="1358" data-end="1596" data-is-last-node="" data-is-only-node="">&nbsp;</P> <P data-start="1358" data-end="1596" data-is-last-node="" data-is-only-node="">&nbsp;</P> Mon, 17 Mar 2025 21:38:50 GMT https://community.cisco.com/t5/network-security/acl-s-top-to-bottom/m-p/5272211#M1120101 M02@rt37 2025-03-17T21:38:50Z