Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10211
Views
0
Helpful
3
Replies

Is 'Deny any' default at the end for all access-lists created

Go to solution
getaway51
Level 2
Level 2

‎05-26-2020 08:15 PM

Hi.

 

By default, Is there a "deny any" at the last line for all ACL? for ACL 2, will it allow all? 

 

access-list 1 permit 202.160.198.192 0.0.0.31
access-list 1 deny any

access-list 2 permit 202.160.198.192 0.0.0.31

Thanks!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Martin L
VIP
VIP

‎05-26-2020 08:22 PM - edited ‎05-26-2020 08:24 PM

 

yes,  deny all at the end of all ACLs. even if you do not see it ! it is called implicit deny;

so, your acl #2 has deny all , you must add permit any any

your #1 and 2 are very different or unique ACLs

 

same thing for ip prefix lists

 

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-26-2020 11:06 PM - edited ‎05-26-2020 11:08 PM

Hello @getaway51 ,

the implicit deny any applies to your ACL 2 that allows only packets with source matching the first explicit statement of ACL 2.

 

The implicit deny any or deny ip any any for extended ACLs applies for all existing configured ACLs (with at least one statement).

Because IOS does not check or warn us if we invoke a non existing ACL in that case a non existing ACL is seen like a permit any or permit ip any any to avoid impacts.

 

The implicit deny any exists to help in writing an ACL with the following logic:

write only the statements of traffic that should be permitted.

If in the future you need to add a permit statement you can do it without the need to rewrite the whole ACL.

 

As an alternative you can write an ACL using a reverse logic:

first you have some deny statements to stop traffic flows then you permit all other traffic with a permit any or permit ip any any.

In this case you need to use an explicit statement to override the implicit deny any.

 

Hope to help

Giuseppe

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Martin L
VIP
VIP

‎05-26-2020 08:22 PM - edited ‎05-26-2020 08:24 PM

 

yes,  deny all at the end of all ACLs. even if you do not see it ! it is called implicit deny;

so, your acl #2 has deny all , you must add permit any any

your #1 and 2 are very different or unique ACLs

 

same thing for ip prefix lists

 

Regards, ML
**Please Rate All Helpful Responses **

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-26-2020 11:06 PM - edited ‎05-26-2020 11:08 PM

Hello @getaway51 ,

the implicit deny any applies to your ACL 2 that allows only packets with source matching the first explicit statement of ACL 2.

 

The implicit deny any or deny ip any any for extended ACLs applies for all existing configured ACLs (with at least one statement).

Because IOS does not check or warn us if we invoke a non existing ACL in that case a non existing ACL is seen like a permit any or permit ip any any to avoid impacts.

 

The implicit deny any exists to help in writing an ACL with the following logic:

write only the statements of traffic that should be permitted.

If in the future you need to add a permit statement you can do it without the need to rewrite the whole ACL.

 

As an alternative you can write an ACL using a reverse logic:

first you have some deny statements to stop traffic flows then you permit all other traffic with a permit any or permit ip any any.

In this case you need to use an explicit statement to override the implicit deny any.

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎05-27-2020 11:24 AM

As already mentioned by the other posters, all ACLs have an implicit deny so as they also already noted, your two ACLs are functionally the same.

However, I did want to add some use an explicit ending deny statement, as in your ACL 1, to make it clear to those possibly less familiar with Cisco default rules. Or, you'll sometimes see an explicit ending deny all to obtain "counts" of ACE hits and/or if using the logging option.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card