Courseiva
ACLCCNA 200-301

ACL Entries in Wrong Order — Permit Before More Specific Deny

Presenting Symptom

Users in the 192.168.1.0/24 subnet can access the internet, but users in the 192.168.2.0/24 subnet cannot, despite an ACL applied to the WAN interface.

Network Context

A small branch office with a Cisco 4321 router running IOS XE 16.9 connects two internal VLANs (VLAN10: 192.168.1.0/24, VLAN20: 192.168.2.0/24) to the internet via a single WAN link. An extended ACL is applied outbound on the WAN interface (GigabitEthernet0/0/0) to permit internal traffic and deny specific hosts. The ACL contains multiple entries, and the order of entries is critical.

Diagnostic Steps

1

Check the ACL configuration on the router

show access-list 100
Extended IP access list 100
    10 permit ip 192.168.1.0 0.0.0.255 any
    20 deny ip host 192.168.2.10 any
    30 permit ip 192.168.2.0 0.0.0.255 any
    40 deny ip any any

The ACL shows entries 10, 20, 30, 40. Note that entry 20 denies a specific host (192.168.2.10) but entry 30 permits the entire 192.168.2.0/24 subnet. The order is correct for this scenario, but if entry 30 were before entry 20, the deny would never match. Check the actual order in the running config.

2

Verify the ACL application on the WAN interface

show running-config interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/0
 ip address 203.0.113.1 255.255.255.252
 ip access-group 100 out

Confirms the ACL is applied outbound. The problem is not about application but about the order of entries within the ACL.

3

Check the actual order of ACL entries in the running config

show running-config | include access-list 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 deny ip host 192.168.2.10 any

Here the permit for 192.168.2.0/24 is before the deny for host 192.168.2.10. This means traffic from 192.168.2.10 matches the permit entry (line 20) and is allowed, defeating the purpose of the deny. The order is wrong: the more specific deny should come before the broader permit.

4

Confirm the impact by pinging from the denied host

ping 8.8.8.8 source 192.168.2.10
Success rate is 100 percent (5/5)

The ping succeeds, confirming that the deny entry is not being matched because the permit entry above it matches first. The ACL order is the root cause.

Root Cause

The ACL entries are in the wrong order: the permit statement for the entire 192.168.2.0/24 subnet is placed before the deny statement for the specific host 192.168.2.10. Since ACLs are processed top-down, the permit matches first, allowing traffic from the denied host. The more specific deny must precede the broader permit.

Resolution

Remove the existing ACL and re-enter the entries in the correct order. Use the sequence numbers to reorder without removing the entire ACL if possible, but for simplicity, remove and recreate. Commands: 1. Remove the ACL: no access-list 100 2. Recreate with correct order: access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 100 deny ip host 192.168.2.10 any access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 100 deny ip any any Alternatively, use sequence numbers to insert the deny before the permit: ip access-list extended 100 5 deny ip host 192.168.2.10 any 15 permit ip 192.168.2.0 0.0.0.255 any (This renumbers entries; ensure no gaps.)

Verification

Run 'show access-list 100' to verify the order: Extended IP access list 100 10 permit ip 192.168.1.0 0.0.0.255 any 20 deny ip host 192.168.2.10 any 30 permit ip 192.168.2.0 0.0.0.255 any 40 deny ip any any Then ping from 192.168.2.10 to 8.8.8.8; it should fail (100% packet loss).

Prevention

1. Always place more specific entries (deny host) before broader permits (permit subnet) in ACLs. 2. Use sequence numbers when configuring extended ACLs to allow easy insertion and reordering. 3. Review ACLs with 'show access-list' after configuration to verify the order of entries.

CCNA Exam Relevance

On the CCNA 200-301 exam, ACL order is tested in troubleshooting scenarios, often as drag-and-drop or multiple-choice questions. Candidates must know that ACLs are processed top-down and the first match applies. A common question presents an ACL with entries in wrong order and asks which traffic is permitted or denied. The key fact: specific entries must come before general entries.

Exam Tips

1.

Remember: ACLs are processed sequentially; the first match wins. Place more specific entries (e.g., deny host) before less specific ones (e.g., permit any).

2.

In exam questions, look for ACLs where a deny host is after a permit subnet; that host will be permitted despite the deny.

3.

Know that 'show access-list' displays the order and hit counts; a deny entry with zero hits indicates it is never matched, often due to order.

Commands Used in This Scenario

ping [ip]

The ping command sends ICMP echo requests to a destination IP address to test network connectivity and measure round-trip time.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions