nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

quick ACL query

alliasneo

Hey guys,

Just wanted to double check something.

Am I correct in thinking that if you add an ACL e.g:

#access-list 20 deny 172.20.20.0 0.0.0.255

and then after put in:

#access-list 20 permit any

This second line will negate the implicit deny rule? If this line was not in place then it would automatically drop all packets? Just curious about this line?

Thanks

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

Roguetadhg

Yes. It will negate the deny rule.
Yes. The un-listed "Deny any any" statement will kick in right after the first Deny statement. It will block any packets that are not filtered out from the first-most statement(s)

For example, this is the address:
172.20.20.0 /27

access-list 20 deny 172.20.20.0 0.0.0.3
** Block 172.20.20.0 - .3**
access-list 20 permit 172.20.20.0 0.0.0.7
** Permit 172.20.20.0 - .7 **
(( Applied outbound in fa0/0 ))
(( Packet is sent SA: 172.20.20.129 ))
(( Blocked outbound at fa0/0, after being routed to the interface ))

If you want to watch the [show access-list] increment the unwritten "deny any ", just type it in. "access-list 20 deny any" to watch the counter increment higher. Pretty sweet.

alliasneo

Roguetadhg wrote: »

Yes. It will negate the deny rule.
Yes. The un-listed "Deny any any" statement will kick in right after the first Deny statement

Cool, that's great thanks.