deny
To set conditions in a named IP access list or object group access control list (OGACL) that will deny packets, use the deny configuration command in the appropriate configuration mode. To remove a deny condition from an IP access list or OGACL, use the no form of this command.
TCP or UDP
sequence-number deny { tcp | udp } { src-addr src-wildcard | any | host addr | object-group src-network-group } [ eq port | range min-port max-port ] { dest-addr dest-wildcard | any | host addr | object-group dest-network-group } [ eq port | range min-port max-port ] [log]
no sequence-number [deny] [ | { tcp | udp } | | { src-addr src-wildcard | any | host addr | object-group src-network-group } | [ eq port | range min-port max-port ] | { dest-addr dest-wildcard | any | host addr | object-group dest-network-group } | [ eq port | range min-port max-port ] | ] [log]
All other protocols
sequence-number deny { protocol | | object-group service-group } { src-addr src-wildcard | any | host addr | object-group src-network-group } { dest-addr dest-wildcard | any | host addr | object-group dest-network-group } [log]
no sequence-number [deny] [ { protocol | | object-group service-group } | | { src-addr src-wildcard | any | host addr | object-group src-network-group } | { dest-addr dest-wildcard | any | host addr | object-group dest-network-group | range port } | | [log] ]
Syntax Description
|
sequence-number |
Specify a sequence number to permit or deny statements to order the statement in the list . You also can use sequence numbers to reorder, add, or remove statements in a list. |
|
protocol |
Name or number of a protocol; valid values are eigrp , gre , icmp , igmp , igrp , ip , ipinip , nos , ospf , tcp , or udp , or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP), use the keyword ip . See the “Usage Guidelines” section for additional qualifiers. |
|
object-groupservice-group |
Specify an object group of type service . |
|
src-addr |
Number of the source network or host from which the packet is being sent in a 32-bit quantity in four-part, dotted-decimal format. |
|
src-wildcard |
Wildcard bits to be applied to source network in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. |
| any |
Specifies any source or any destination host as an abbreviation for the source-addr or destination-addr value and the source-wildcard or destination-wildcard value of 0.0.0.0 255.255.255.255. |
|
host addr |
Specifies the source or destination address of a single host. |
|
tcp |
Specifies the TCP protocol. |
|
udp |
Specifies the UDP protocol. |
|
object-group source-addr-group-name |
Specifies the name of the object-group that contains the group of source addresses. The source and destination object groups must be network object groups. You cannot use empty object groups in access control lists. |
|
destination-addr |
Number of the network or host to which the packet is being sent in a 32-bit quantity in four-part, dotted-decimal format. |
|
destination-wildcard |
Wildcard bits to be applied to the destination in a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. |
|
object-group dest-addr-group-name |
Specifies the name of the object-group that contains the group of destination addresses. The source and destination object groups must be network object groups. You cannot use empty object groups in access control lists. |
|
log |
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message for a standard list includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message for an extended list includes the access list number; whether the packet was permitted or denied; the protocol; whether the protocol was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. For both standard and extended lists, the message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from reloading because of too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. |
Command Default
There is no specific condition under which a packet is denied passing the access list.
Command Modes
Standard access-list configuration (config-std-nacl)
Extended access-list configuration (config-ext-nacl)
Command History
|
Release |
Modification |
|---|---|
|
Cisco IOS XE Catalyst SD-WAN Release 17.2.1v |
Command qualified for use in Cisco vManage CLI templates. |
|
Cisco IOS XE Catalyst SD-WAN Release 17.3.1a |
Additional parameters qualified: |
Usage Guidelines
For usage guidelines, see the Cisco IOS XE deny command.
ip access-list standard 10
10 deny 10.1.1.1ip access-list standard 15
10 deny anyip access-list extended 105
10 deny ip any anyip access-list extended 105
10 deny ip host 10.1.1.1 any
20 deny object-group OBJ_PROTO object-group OBJ_SRC object-group OBJ_DESTip access-list extended EXTACL
10 deny ip any any log
Feedback