ACL's top to bottom?

sir_yrwins · ‎03-17-2025

internet-----> Gi/0/0

routerA(config)#access-list 100 deny ip 0.0.0.0 0.255.255.255 any

routerA(config)#access-list 101 deny ip 10.16.1.0 0.0.0.255 any

routerA(config)#access-list 102 permit ip 10.16.1.0 0.0.0.255 any

routerA(config)#interface Gi/0/0

routerA(config-if)#ip access-gorup 100 in

routerA(config-if)#ip access-gorup 101 in

routerA(config-if)#ip access-gorup 102 in

this were I am lost ( why all traffic destined for the 10.16.1.0 /24 network will be allowed)

why rule 101 (deny) is been ignored. the packet (rules) is read from top to bottom! and it read rule 101 is for deny so it drops, before I can read 102?

M02@rt37 · ‎03-17-2025

Hello @sir_yrwins

you need to consolidate all the rules into a single ACL instead of applying multiple separate ACLs.

routerA(config)#access-list 100 deny ip 0.0.0.0 0.255.255.255 any
routerA(config)#access-list 100 deny ip 10.16.1.0 0.0.0.255 any
routerA(config)#access-list 100 permit ip any any
routerA(config)#interface Gi/0/0
routerA(config-if)#ip access-group 100 in

Now, the router will evaluate packets against ACL 100 only, processing rules in order. It will first block any traffic from 0.0.0.0/8, then block traffic from 10.16.1.0/24, and finally allow everything else.

The key takeaway here is that you can only have one ACL per interface per direction.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.