cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10211
Views
0
Helpful
3
Replies

Is 'Deny any' default at the end for all access-lists created

getaway51
Level 2
Level 2

Hi.

 

By default, Is there a "deny any" at the last line for all ACL? for ACL 2, will it allow all? 

 

access-list 1 permit 202.160.198.192 0.0.0.31
access-list 1 deny any

access-list 2 permit 202.160.198.192 0.0.0.31

Thanks!

2 Accepted Solutions

Accepted Solutions

Martin L
VIP
VIP

 

yes,  deny all at the end of all ACLs. even if you do not see it ! it is called implicit deny;

so, your acl #2 has deny all , you must add permit any any

your #1 and 2 are very different or unique ACLs

 

same thing for ip prefix lists

 

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @getaway51 ,

the implicit deny any applies to your ACL 2 that allows only packets with source matching the first explicit statement of ACL 2.

 

The implicit deny any or deny ip any any for extended ACLs applies for all existing configured ACLs (with at least one statement).

Because IOS does not check or warn us if we invoke a non existing ACL in that case a non existing ACL is seen like a permit any or permit ip any any to avoid impacts.

 

The implicit deny any exists to help in writing an ACL with the following logic:

write only the statements of traffic that should be permitted.

If in the future you need to add a permit statement you can do it without the need to rewrite the whole ACL.

 

As an alternative you can write an ACL using a reverse logic:

first you have some deny statements to stop traffic flows then you permit all other traffic with a permit any or permit ip any any.

In this case you need to use an explicit statement to override the implicit deny any.

 

Hope to help

Giuseppe

 

View solution in original post

3 Replies 3

Martin L
VIP
VIP

 

yes,  deny all at the end of all ACLs. even if you do not see it ! it is called implicit deny;

so, your acl #2 has deny all , you must add permit any any

your #1 and 2 are very different or unique ACLs

 

same thing for ip prefix lists

 

Regards, ML
**Please Rate All Helpful Responses **

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @getaway51 ,

the implicit deny any applies to your ACL 2 that allows only packets with source matching the first explicit statement of ACL 2.

 

The implicit deny any or deny ip any any for extended ACLs applies for all existing configured ACLs (with at least one statement).

Because IOS does not check or warn us if we invoke a non existing ACL in that case a non existing ACL is seen like a permit any or permit ip any any to avoid impacts.

 

The implicit deny any exists to help in writing an ACL with the following logic:

write only the statements of traffic that should be permitted.

If in the future you need to add a permit statement you can do it without the need to rewrite the whole ACL.

 

As an alternative you can write an ACL using a reverse logic:

first you have some deny statements to stop traffic flows then you permit all other traffic with a permit any or permit ip any any.

In this case you need to use an explicit statement to override the implicit deny any.

 

Hope to help

Giuseppe

 

Joseph W. Doherty
Hall of Fame
Hall of Fame
As already mentioned by the other posters, all ACLs have an implicit deny so as they also already noted, your two ACLs are functionally the same.

However, I did want to add some use an explicit ending deny statement, as in your ACL 1, to make it clear to those possibly less familiar with Cisco default rules. Or, you'll sometimes see an explicit ending deny all to obtain "counts" of ACE hits and/or if using the logging option.
Review Cisco Networking for a $25 gift card