Courseiva
ACLCCNA 200-301

ACL Blocking All Traffic — Implicit Deny Hit

Presenting Symptom

Users in VLAN 10 cannot reach any external network resources, including the internet and remote sites, while internal VLAN 10 resources are reachable.

Network Context

A small branch office with a Cisco 4321 ISR router running IOS XE 16.9. The router connects to an ISP via GigabitEthernet0/0/0 and to an internal switch via GigabitEthernet0/0/1. The internal network uses VLAN 10 (192.168.10.0/24) for users and VLAN 20 (192.168.20.0/24) for servers. An extended ACL is applied inbound on GigabitEthernet0/0/0 to filter traffic from the internet, but users cannot reach external destinations.

Diagnostic Steps

1

Check the ACL configuration and its application

show running-config | include access-list|ip access-group
access-list 100 deny ip any any
access-list 100 permit tcp any any established
interface GigabitEthernet0/0/0
 ip access-group 100 in

The ACL 100 has a deny ip any any statement before any permit statements. This is the implicit deny being explicitly configured, blocking all traffic. The access-group is applied inbound on the WAN interface.

2

Verify ACL hit counts to confirm traffic is being denied

show access-lists 100
Extended IP access list 100
    10 deny ip any any (1000 matches)
    20 permit tcp any any established (0 matches)

The deny statement has many matches, indicating that all traffic is hitting the deny rule. The permit established rule has zero matches because traffic never reaches it.

3

Check if there is a route to external destinations

show ip route 8.8.8.8
Routing entry for 8.8.8.0/24
  Known via "static", distance 1, metric 0
  * 10.0.0.1, via GigabitEthernet0/0/0

A route exists to the external destination, so routing is not the issue. The problem is purely ACL-based.

4

Confirm that internal traffic is not affected by the ACL

ping 192.168.20.1
Success rate is 100 percent (5/5)

Internal traffic is not blocked because the ACL is applied inbound on the WAN interface, not on internal interfaces. This confirms the ACL is only affecting outbound traffic.

Root Cause

The extended ACL 100 applied inbound on GigabitEthernet0/0/0 has a 'deny ip any any' statement as the first entry, which blocks all IP traffic before any permit statements are evaluated. This explicit deny overrides the implicit deny at the end and prevents any traffic from exiting the router to the internet.

Resolution

Remove the explicit deny statement and reorder the ACL to place permit statements first. Use the following commands: conf t ip access-list extended 100 no 10 deny ip any any 20 permit tcp any any established 30 permit ip any any end This removes the explicit deny, keeps the established permit, and adds a permit ip any any at the end to allow all other traffic. Alternatively, if the goal is to only allow established connections, omit the last permit statement and rely on the implicit deny.

Verification

Run 'show access-lists 100' and verify that the deny line is gone and hit counts on permit lines increase. Then test connectivity from a VLAN 10 host to an external IP (e.g., ping 8.8.8.8). Expected output: successful replies.

Prevention

1. Always place permit statements before deny statements in ACLs. 2. Avoid using 'deny ip any any' unless explicitly required; rely on the implicit deny at the end. 3. Use ACL sequence numbers to insert or remove entries without reordering.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario tests understanding of ACL processing order and the implicit deny. Questions may present a misconfigured ACL and ask why traffic is blocked. Candidates must know that ACLs are processed top-down and that an explicit deny any any blocks all traffic before subsequent permits.

Exam Tips

1.

Remember that ACLs have an implicit deny at the end, so adding an explicit 'deny ip any any' is redundant and can cause issues if placed incorrectly.

2.

In troubleshooting questions, always check the order of ACL entries and the interface/direction they are applied.

3.

Know that 'established' in a TCP ACL permits return traffic for outbound connections; it does not work for UDP or ICMP.

Commands Used in This Scenario

ping [ip]

The ping command sends ICMP echo requests to a destination IP address to test network connectivity and measure round-trip time.

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions