Skip navigation
Cisco Learning Home > CCNP R&S Study Group > Discussions
1737 Views 11 Replies Latest reply: May 10, 2012 5:25 PM by sambotech12 RSS

Currently Being Moderated

Explicit Deny

May 10, 2012 4:04 AM

thiyagarajankalaiselvan 253 posts since
Apr 26, 2009

Hi ,

I'm working on task to apply an ACL on a WAN interface. I'm going to apply an ACL which will permit the the IP 239.1.0.10.

 

Just I want to ensure the below will not deny any other traffic. Can anybody help me to know by default explicit deny will be added to the end of the ACL?

 

 

ip access list extended MCAST

permit ip any host 239.1.0.10

 

Regards,

T.K

  • sparky 69 posts since
    Jan 23, 2009
    Currently Being Moderated
    Re: Explicit Deny

    The implicit deny all will block anything else, however i always like to specify it so at least you can see matches against it when viewing the ACL

      ..... also remember an ACL will not filter traffic orginiating from the router itself

  • skcis 77 posts since
    Nov 25, 2008
    Currently Being Moderated
    2. May 10, 2012 10:32 AM (in response to sparky)
    Re: Explicit Deny

    Sparky,

     

    Just wanted to confirm about your saying ACL not filtering traffic orginating from router itself? So, let's say we have the following ACL:

     

    ip access-list extented temp

    permit tcp any host 10.10.10.1 eq 80

    deny ip any any

     

    Where host is a web server and the ACL is applied to the router interface facing the internet. This should only allow traffic from the internet to port 80 of host 10.10.10.1.

     

    Now if a client from the local LAN went to www.example.com:80, then that simply means that the router won't even look at ACL temp in that case, do we concur on this?

     

    Also, does this have anything to do with CBAC? In other words, do we have to have CBAC or the behavior is normal for any ACL running on generic routers or any layer 3 switch?

     

    Thanks in advance!

  • C1SC0M - CCNP,CWNA,Net+ 101 posts since
    Sep 21, 2009
    Currently Being Moderated
    3. May 10, 2012 10:59 AM (in response to thiyagarajankalaiselvan)
    Re: Explicit Deny

    So you are saying that you want to permit traffic from that host and anything else?  Then don't do anything.  No ACL is needed.  Or do an ACL with permit ip any any.  Make sense?

     

    This:  permit ip host 239.1.0.10 any

             permit ip any any

     

    will have the same effect as this:  permit ip any any.

     

    As your IMPLICIT DENY question, it is IMPLICIT because you don't have to type it in directly and since this is by default you won't see it on the show running-config.

  • rak 55 posts since
    Feb 19, 2012
    Currently Being Moderated
    4. May 10, 2012 11:04 AM (in response to skcis)
    Re: Explicit Deny

    hi

    @skcis, acl's dont process packets generated in the router for eg the traffic generated by the sla configuration or when you ping from that router

    the lan you are refering will be filtered by the acl

    its not  in the router rather behind it

  • Gabriel 134 posts since
    Apr 24, 2010
    Currently Being Moderated
    5. May 10, 2012 12:24 PM (in response to thiyagarajankalaiselvan)
    Re: Explicit Deny

    Hi,

     

    Your question isn't very clear. You can apply an ACL in two directions "in" or "out". Depending on how you want the ACL to inspect traffic. If we are talking about a cisco router, then if you applied the ACL you wrote out in the "in" or "out" direction it would cause you problems due to the explicit deny at the end

     

    IF it was in the "out" direction of your WAN interface, you would be telling your router to only allow hosts (behind your router) going to 239.1.0.10 and deny everything else (explicit deny).

     

    If it was in the "in" direction of your WAN interface, you would be telling your router to only allow traffic coming from the WAN going to 239.1.0.10, and deny everything else (explicit deny).

     

    Is there something blocking 239.1.0.10 to account for the need of this ACL?

  • sambotech12 727 posts since
    Apr 3, 2012
    Currently Being Moderated
    6. May 10, 2012 12:43 PM (in response to thiyagarajankalaiselvan)
    Re: Explicit Deny

    thiyagarajankalaiselvan wrote:

     

    Hi ,

    I'm working on task to apply an ACL on a WAN interface. I'm going to apply an ACL which will permit the the IP 239.1.0.10.

     

    Just I want to ensure the below will not deny any other traffic. Can anybody help me to know by default explicit deny will be added to the end of the ACL?

     

     

    ip access list extended MCAST

    permit ip any host 239.1.0.10

     

    Regards,

    T.K

    Hey,

     

    If the ACL is applied 'in' on the serial WAN link to your router, I wonder if the implicit deny all, which is at the end of every ACL, will block any routing updates the router is receiving from its neighbor on that link assuming you are running a routing protocol?

     

    -sambotech12

  • sambotech12 727 posts since
    Apr 3, 2012
    Currently Being Moderated
    7. May 10, 2012 1:19 PM (in response to skcis)
    Re: Explicit Deny

    skcis wrote:

     

    Sparky,

     

    Just wanted to confirm about your saying ACL not filtering traffic orginating from router itself? So, let's say we have the following ACL:

     

    ip access-list extented temp

    permit tcp any host 10.10.10.1 eq 80

    deny ip any any

     

    Where host is a web server and the ACL is applied to the router interface facing the internet. This should only allow traffic from the internet to port 80 of host 10.10.10.1.

     

    Now if a client from the local LAN went to www.example.com:80, then that simply means that the router won't even look at ACL temp in that case, do we concur on this?

     

    Also, does this have anything to do with CBAC? In other words, do we have to have CBAC or the behavior is normal for any ACL running on generic routers or any layer 3 switch?

     

    Thanks in advance!

    Hey,

     

    If this ACL is applied 'in' on the internet-facing interface of the router so it's like a firewall, the local LAN will be affected by the ACL.  In fact, all hosts on the local LAN will not have any connectivity to any web servers in the Internet or any kind of connectivity for that matter.  To give local LAN clients access to web servers in the Internet use:

     

    ip access-list extented temp

    permit tcp any host 10.10.10.1 eq 80

    permit tcp any eq 80 any established

    deny ip any any

     

    But the local LAN clients won't be able to do anything else in the Internet.....

     

    As far as CBAC......I don't know what that is since I'm just a CCNA.

     

    -sambotech12

  • skcis 77 posts since
    Nov 25, 2008
    Currently Being Moderated
    8. May 10, 2012 1:55 PM (in response to sambotech12)
    Re: Explicit Deny

    Hi sambotech12,

     

    Let's put it this way:

     

    Router R1 has 2 interfaces: gi0/0 and 0/1.

    gi0/0 connects to the internet

    gi0/1 connects to the local LAN

     

    We 2 ACLs:

    ip access-list extented test1

    permit tcp any host 10.10.10.1 eq 80

    deny ip any any

     

    and

     

    ip access-list extented test2

    permit ip any any

     

    test1 is applied to gi0/0 (facing the internet):

    ip access-group test1 in

     

    test2 is applied to gi0/1 (Local LAN):

    ip access-group test2 in

     

    Now if a client on the LAN tries to connect to a web server on the internet what will happen?

     

    Cheers!

  • sambotech12 727 posts since
    Apr 3, 2012
    Currently Being Moderated
    9. May 10, 2012 3:48 PM (in response to skcis)
    Re: Explicit Deny

    skcis wrote:

     

    Hi sambotech12,

     

    Let's put it this way:

     

    Router R1 has 2 interfaces: gi0/0 and 0/1.

    gi0/0 connects to the internet

    gi0/1 connects to the local LAN

     

    We 2 ACLs:

    ip access-list extented test1

    permit tcp any host 10.10.10.1 eq 80

    deny ip any any

     

    and

     

    ip access-list extented test2

    permit ip any any

     

    test1 is applied to gi0/0 (facing the internet):

    ip access-group test1 in

     

    test2 is applied to gi0/1 (Local LAN):

    ip access-group test2 in

     

    Now if a client on the LAN tries to connect to a web server on the internet what will happen?

     

    Cheers!

    Well.....you must have some pretty awesome routers to connect gigaethernet interfaces to the Internet.  Your Internet connection must be really fast.  I, myself, don't have any real equipment to play with.....I only have Cisco Packet Tracer, but it's pretty cool.

     

    Anyway......if you have ACL test1 on an Internet-facing interface, I don't know how a public router would have a route to a private IP address such as 10.10.10.1.  Since IOS processes ACLs before NAT for packets entering an interface, the destination address in the permit statement should be a public address.

     

    Since test1 is acting like a firewall, it will try to match packets coming from the web servers in the Internet on their way to the clients of the local LAN.  The way test1 is set up now.....it looks like it's trying (but failing because of private address) to permit traffic to an internal web server.  So, it's going to deny all clients of the local LAN any access to web servers in the Internet.

     

    Therefore, when a client on the LAN tries to connect to a web server on the Internet, the client should not have any problem getting through ACL test2 on router R1.  But when the packets from the web server going to the client try to enter R1, they will be filtered or discarded.

     

    I have several Packet Tracer files with Internet simulations.  The only thing is that all of the connections to the Internet are done with serial links, not ethernet links.  But that shouldn't be a problem.  They do, of course, run NAT since they involve the Internet and public addresses.  I will try to run your ACLs on one of them and let you know......

     

    -sambotech12

  • skcis 77 posts since
    Nov 25, 2008
    Currently Being Moderated
    10. May 10, 2012 3:59 PM (in response to sambotech12)
    Re: Explicit Deny

    sambotech12,

     

    I really appreciate you taking the time to answer these queries. I should have let you know that the 10.10.10.1 was used because I didn't want to have a public IP to violate any rules/laws. So, let's just say the interface connecting to the internet had a public IP address. And my question about the client connecting to a web server on the internet is the same.

     

    Thanks.

  • sambotech12 727 posts since
    Apr 3, 2012
    Currently Being Moderated
    11. May 10, 2012 5:25 PM (in response to skcis)
    Re: Explicit Deny

    skcis wrote:

     

    sambotech12,

     

    I really appreciate you taking the time to answer these queries. I should have let you know that the 10.10.10.1 was used because I didn't want to have a public IP to violate any rules/laws. So, let's just say the interface connecting to the internet had a public IP address. And my question about the client connecting to a web server on the internet is the same.

     

    Thanks.

    Yeah.....the client on the local LAN has no access to the web server in the Internet.  The packets from the web server in the Internet to the client in the local LAN were matched with the deny ip any any statement of the ACL test1.  Look at the picture below.

     

    test1.jpg

     

    But, if you modify ACL test1 the client on the local LAN can connect to the web server in the Internet.  Refer to the picture below.

     

    test1_2.jpg

     

     

     

     

     

     

    -sambotech12

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)