I want to block Host 192.168.1.1 from reaching 192.168.2.0/24 network and in order to implement that I've applied Extended ACL "ACL_FOR_R2" on R2's serial2/0 interface. Now as we all know that at the end of every access list is an implied "deny all traffic" criteria statement. Therefore, if a packet does not match any of your criteria statements, the packet will be blocked. So I didn't mention any statement in the ACL "ACL_FOR_R2" assuming we only have one statement in that ACL as "deny all" but the problem is when I ping from R1 to 192.168.2.2, R2 doesn't block the traffic and ping reaches to R3. WHY?
Here are the configurations:
- R1's configurations:
R1#show running-config
Building configuration...
Current configuration : 1557 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
ip address 192.168.1.1 255.255.255.0
ip access-group ACL_FOR_R1 out
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 1
network 192.168.1.0
auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
**********************************
This is a Cisco .
**********************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
R1#un all
All possible debugging has been turned off
R1#
R1#show run
R1#show running-config
Building configuration...
Current configuration : 1557 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
ip address 192.168.1.1 255.255.255.0
ip access-group ACL_FOR_R1 out
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 1
network 192.168.1.0
auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
**********************************
This is a Cisco .
**********************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
- R2's configurations:
R2#show running-config
Building configuration...
Current configuration : 1627 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
ip address 192.168.1.2 255.255.255.0
ip access-group ACL_FOR_R2 in
serial restart-delay 0
!
interface Serial2/1
ip address 192.168.2.1 255.255.255.0
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 1
network 192.168.1.0
network 192.168.2.0
auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended ACL_FOR_R2
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
**********************************
This is a Cisco .
**********************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
- R3's configurations:
R3#show running-config
Building configuration...
Current configuration : 1525 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
ip address 192.168.2.2 255.255.255.0
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 1
network 192.168.2.0
auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
**********************************
This is a Cisco .
**********************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
R1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/46/88 ms
R1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/46/104 ms
Best Answer
Normally you would be right, there is an implied "deny" at the end of every access list. You have found the exception however, because you use an empty access list:
According to the documentation:
"An interface or command with an empty access list applied to it permits all traffic into the network."
So as soon as you add any term to the ACL, it will start blocking all other traffic.