deny ip [source] [dest] log
Creates an ACL entry that denies IP traffic from source to destination and logs matches.
Overview
The 'deny ip' command is used within an IP access control list (ACL) on Cisco NX-OS devices to block all IP traffic matching specified source and destination addresses. ACLs are fundamental to network security, providing packet filtering based on Layer 3 and Layer 4 information. This command is typically used in security policies to restrict unauthorized access, segment network traffic, or mitigate attacks. On NX-OS, ACLs are applied to interfaces using the 'ip access-group' command in either inbound or outbound direction. The 'log' keyword enables syslog logging for each packet that matches the deny entry, which is crucial for auditing and troubleshooting. When troubleshooting, checking ACL hit counts via 'show ip access-lists' helps verify if the deny rule is being triggered. NX-OS supports both IPv4 and IPv6 ACLs, with similar syntax.
deny ip {source source-wildcard | any | host source} {destination dest-wildcard | any | host destination} logWhen to Use This Command
- Block all traffic from a known malicious subnet to a critical server farm and log attempts.
- Deny all IP traffic between two internal VLANs for segmentation and log violations.
- Temporarily block a specific host from accessing a sensitive network segment for incident response.
- Deny all inbound traffic from the internet to a DMZ except permitted services, logging all denied packets.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| source | source source-wildcard | any | host source | Specifies the source IP address and wildcard mask. Use 'any' to match any source, or 'host <ip>' for a single host. |
| dest | destination dest-wildcard | any | host destination | Specifies the destination IP address and wildcard mask. Use 'any' to match any destination, or 'host <ip>' for a single host. |
| log | log | Enables logging of packets matching this entry. Logs are sent to syslog and can be viewed with 'show log'. |
Command Examples
Deny traffic from a specific subnet to any destination with logging
deny ip 10.1.1.0 0.0.0.255 any logThis command denies all IP packets originating from the 10.1.1.0/24 subnet to any destination. The 'log' keyword enables logging of each denied packet.
Deny traffic from any source to a specific host with logging
deny ip any host 192.168.1.100 logThis command denies all IP packets from any source to the host 192.168.1.100. The 'log' keyword enables logging.
Understanding the Output
The 'deny ip' command itself does not produce output when entered; it simply adds an entry to the ACL. To view the ACL, use 'show ip access-lists <acl-name>'. The output will list each ACE with sequence numbers, permit/deny action, protocol, source/destination, and log flag. A healthy ACL has entries in the intended order. Problematic values include missing log keyword or incorrect wildcard masks.
Configuration Scenarios
Block a Subnet from Accessing a Server
A server farm (192.168.10.0/24) should not be accessible from a suspicious subnet (10.0.0.0/8).
Topology
Internet -- Router -- [ACL] -- Server Farm
Suspicious Subnet (10.0.0.0/8) -> Router -> Server Farm (192.168.10.0/24)Steps
- 1.Create an ACL named BLOCK_SUSPICIOUS.
- 2.Add a deny entry for IP traffic from 10.0.0.0/8 to 192.168.10.0/24 with logging.
- 3.Apply the ACL inbound on the interface facing the suspicious subnet.
ip access-list BLOCK_SUSPICIOUS deny ip 10.0.0.0 0.255.255.255 192.168.10.0 0.0.0.255 log permit ip any any interface ethernet 1/1 ip access-group BLOCK_SUSPICIOUS in
Verify: Use 'show ip access-lists BLOCK_SUSPICIOUS' to verify the entry and check hit counts.
Watch out: Ensure the deny entry is placed before any permit entries that might match the same traffic.
Troubleshooting with This Command
When using 'deny ip' with logging, troubleshooting involves verifying that the ACL is correctly applied and that log messages are generated. Use 'show ip access-lists <acl-name>' to see the number of matches (hits) for each entry. If hits are zero, the traffic might not be reaching the ACL, or a preceding permit entry is matching first. Check interface ACL application with 'show running-config interface <interface>'. For logging, ensure syslog is configured and log level is appropriate. On NX-OS, denied packets logged via ACL appear in the syslog with %ACL-6-DENY messages. If logs are not appearing, check if 'logging console' or 'logging monitor' is enabled. Also, verify that the ACL is applied in the correct direction (inbound vs outbound).
CCNA Exam Tips
Remember that 'log' is optional but often required for security monitoring.
Understand that the order of ACEs matters; the first match is applied.
Know that 'any' is equivalent to 0.0.0.0 255.255.255.255.
Common Mistakes
Forgetting to include the 'log' keyword when logging is required.
Using incorrect wildcard mask (e.g., 255.255.255.0 instead of 0.0.0.255).
Placing the deny entry after a permit entry that matches the same traffic, causing the deny to never be hit.
Platform Notes
On Cisco NX-OS, ACL syntax is similar to IOS but with some differences. NX-OS uses 'ip access-list' (not 'access-list') for named ACLs. The 'deny ip' command supports the 'log' keyword, but logging behavior may differ; NX-OS logs at a default rate limit. Unlike IOS, NX-OS does not support 'log-input' for ACLs. For equivalent functionality on other platforms, use 'deny ip' on IOS, 'deny ip' on ASA (with object groups), or 'deny ip' on Juniper (with firewall filters). NX-OS also supports object-group-based ACLs for scalability.
Related Commands
ip access-group [acl] [in|out]
Applies an access control list (ACL) to an interface to filter inbound or outbound traffic based on the ACL rules.
show ip access-lists
Displays the contents of all current IP access lists or a specific access list, including the number of matches for each entry, used to verify and troubleshoot ACL configuration and traffic filtering.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions