Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access Lists - Implicit Deny?

Status
Not open for further replies.
dkraut

dkraut

IS-IT--Management
Feb 5, 2003
75
US
I'm trying to better understand the implicit deny at the end of access-lists on routers and how to best modify existing access lists. Using the example below. Lets say that I now want to allow Telnet from a specific IP (i.e., 149.54.11.5 ) to a specific IP (i.e., 172.16.1.10 )

access-list 101 deny tcp any any eq 161
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any

Does that mean that If I simply entered the command >

access-list 101 permit tcp 149.54.11.5 172.16.1.10 eq Telnet

it would get appended after the >
access-list 101 deny tcp any any eq telnet
and subsequently not work?

Would that mean that to correctly "insert" this new line I would need to run the following command?

no access-list 101 permit ip any any
access-list 101 permit tcp 149.54.11.5 172.16.1.10 eq Telnet
access-list 101 permit ip any any

If this is correct, does that meant that immediately after I run >

no access-list 101 permit ip any any

all incoming traffic will be blocked until I re-enter >

access-list 101 permit ip any any

And to complete this I assume I would need to run an access-group command to bind the list to an interface?

Thanks!~
 
Sort by date Sort by votes
when you insert a new line, it will appear after the last line. so, your access-list 101 permit tcp 149.54.11.5 172.16.1.10 eq Telnet would appear after the permit ip any any statement. what I do is enter the new lines, then do a no permit ip any any followed by a permit ip any any. this removes it and reapplies it to the end of the acl.
yes, when you remove the permit ip any any command, all traffic is blocked if the acl is applied to an interface. if the acl is not applied anywhere, then you can do whatever you want and it wont affect traffic.

Degg
Network Administrator
 
Upvote 0 Downvote
besides that you need to apply the ACL to an interface, you also need to specify whether its inbound our outbound ACL.
 
Upvote 0 Downvote
a practice i ALWAYS follow is to remove the access list entirley and re-add it in the order i want it. By doing this every time, i avoid frustrating troubleshooting experiences later.

commsguy

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CDIV
  • Locked
  • Question
Use uplink port as access port 2960 1
Replies
9
Views
927
CDIV
CDIV
CDIV
  • Locked
  • Question
How do I enable SSH access in 2960x 1
Replies
4
Views
1K
iggsterman
iggsterman
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
259
dmourghen
dmourghen
mrdom
  • Locked
  • Question
RV325: Accessing LAN and WAN resources using the same hostname ...
Replies
0
Views
247
mrdom
mrdom
Castanz
  • Locked
  • Question
Can only access 1 port. Catalyst 2960-S
Replies
1
Views
201
allworxguy
allworxguy

Part and Inventory Search

Sponsor

Back
Top