ACLACL Config

deny ip [source] [dest] log

Creates an ACL entry that denies IP traffic from source to destination and logs matches.

Overview

The 'deny ip' command is used within an IP access control list (ACL) on Cisco NX-OS devices to block all IP traffic matching specified source and destination addresses. ACLs are fundamental to network security, providing packet filtering based on Layer 3 and Layer 4 information. This command is typically used in security policies to restrict unauthorized access, segment network traffic, or mitigate attacks. On NX-OS, ACLs are applied to interfaces using the 'ip access-group' command in either inbound or outbound direction. The 'log' keyword enables syslog logging for each packet that matches the deny entry, which is crucial for auditing and troubleshooting. When troubleshooting, checking ACL hit counts via 'show ip access-lists' helps verify if the deny rule is being triggered. NX-OS supports both IPv4 and IPv6 ACLs, with similar syntax.

Syntax·ACL Config
deny ip {source source-wildcard | any | host source} {destination dest-wildcard | any | host destination} log

When to Use This Command

  • Block all traffic from a known malicious subnet to a critical server farm and log attempts.
  • Deny all IP traffic between two internal VLANs for segmentation and log violations.
  • Temporarily block a specific host from accessing a sensitive network segment for incident response.
  • Deny all inbound traffic from the internet to a DMZ except permitted services, logging all denied packets.

Parameters

ParameterSyntaxDescription
sourcesource source-wildcard | any | host sourceSpecifies the source IP address and wildcard mask. Use 'any' to match any source, or 'host <ip>' for a single host.
destdestination dest-wildcard | any | host destinationSpecifies the destination IP address and wildcard mask. Use 'any' to match any destination, or 'host <ip>' for a single host.
loglogEnables logging of packets matching this entry. Logs are sent to syslog and can be viewed with 'show log'.

Command Examples

Deny traffic from a specific subnet to any destination with logging

deny ip 10.1.1.0 0.0.0.255 any log

This command denies all IP packets originating from the 10.1.1.0/24 subnet to any destination. The 'log' keyword enables logging of each denied packet.

Deny traffic from any source to a specific host with logging

deny ip any host 192.168.1.100 log

This command denies all IP packets from any source to the host 192.168.1.100. The 'log' keyword enables logging.

Understanding the Output

The 'deny ip' command itself does not produce output when entered; it simply adds an entry to the ACL. To view the ACL, use 'show ip access-lists <acl-name>'. The output will list each ACE with sequence numbers, permit/deny action, protocol, source/destination, and log flag. A healthy ACL has entries in the intended order. Problematic values include missing log keyword or incorrect wildcard masks.

Configuration Scenarios

Block a Subnet from Accessing a Server

A server farm (192.168.10.0/24) should not be accessible from a suspicious subnet (10.0.0.0/8).

Topology

Internet -- Router -- [ACL] -- Server Farm Suspicious Subnet (10.0.0.0/8) -> Router -> Server Farm (192.168.10.0/24)

Steps

  1. 1.Create an ACL named BLOCK_SUSPICIOUS.
  2. 2.Add a deny entry for IP traffic from 10.0.0.0/8 to 192.168.10.0/24 with logging.
  3. 3.Apply the ACL inbound on the interface facing the suspicious subnet.
Configuration
ip access-list BLOCK_SUSPICIOUS
deny ip 10.0.0.0 0.255.255.255 192.168.10.0 0.0.0.255 log
permit ip any any
interface ethernet 1/1
ip access-group BLOCK_SUSPICIOUS in

Verify: Use 'show ip access-lists BLOCK_SUSPICIOUS' to verify the entry and check hit counts.

Watch out: Ensure the deny entry is placed before any permit entries that might match the same traffic.

Troubleshooting with This Command

When using 'deny ip' with logging, troubleshooting involves verifying that the ACL is correctly applied and that log messages are generated. Use 'show ip access-lists <acl-name>' to see the number of matches (hits) for each entry. If hits are zero, the traffic might not be reaching the ACL, or a preceding permit entry is matching first. Check interface ACL application with 'show running-config interface <interface>'. For logging, ensure syslog is configured and log level is appropriate. On NX-OS, denied packets logged via ACL appear in the syslog with %ACL-6-DENY messages. If logs are not appearing, check if 'logging console' or 'logging monitor' is enabled. Also, verify that the ACL is applied in the correct direction (inbound vs outbound).

CCNA Exam Tips

1.

Remember that 'log' is optional but often required for security monitoring.

2.

Understand that the order of ACEs matters; the first match is applied.

3.

Know that 'any' is equivalent to 0.0.0.0 255.255.255.255.

Common Mistakes

Forgetting to include the 'log' keyword when logging is required.

Using incorrect wildcard mask (e.g., 255.255.255.0 instead of 0.0.0.255).

Placing the deny entry after a permit entry that matches the same traffic, causing the deny to never be hit.

Platform Notes

On Cisco NX-OS, ACL syntax is similar to IOS but with some differences. NX-OS uses 'ip access-list' (not 'access-list') for named ACLs. The 'deny ip' command supports the 'log' keyword, but logging behavior may differ; NX-OS logs at a default rate limit. Unlike IOS, NX-OS does not support 'log-input' for ACLs. For equivalent functionality on other platforms, use 'deny ip' on IOS, 'deny ip' on ASA (with object groups), or 'deny ip' on Juniper (with firewall filters). NX-OS also supports object-group-based ACLs for scalability.

Related Commands

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions