Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
239
Views
0
Helpful
1
Replies

When adding IP addresses to block in an ACL, can they be added to the end?

NaderHussain
Level 1
Level 1

‎08-31-2015 06:40 PM - edited ‎03-11-2019 11:31 PM

I know that ACLs have to be ordered from most specific to lesser specific rules.

IP addresses to subnets.

 

When permitting a subnet through and denying a given IP address through, it is best to start with the IP address rule and then put in the network rule.

IP address is permitted, then the network is denied except for the permitted IP address. Rule 1 allows the packet to pass through for both rules.

 

If the subnet is denied first and the IP address is permitted, the packets will be blocked by the first rule. This is because the second rule is ignored. The subnet is blocked and then an IP address is permitted. All packets are blocked by rule 1.

 

Suppose if rule 1 and rule 2 are swapped and the IP address is blocked after the network is permitted through, both rules are still present. Packets pass through rule for network. However, the rule for the IP address is still present.

 

-------- allow Net A through -------- block a given IP address in the network -------

 

Will this work?

 

 

Labels:
0 Helpful
1 Reply 1

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎08-31-2015 07:11 PM

Hi,

No , This will not work as the traffic matches the 1st rule and won't be checked against another rule.

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card