access-list on router

Answered Question
Aug 25th, 2008
User Badges:

An access-list has been configured on a router to block an IP address. Can can additional IP addresses be added to the original access-list at a later time?

ex.

(config)#access-list 5 deny 10.10.117.0 0.0.0.255

(config)#access-list 5 permit any


Can we use access-list 5 to block additional IPs or do we have to create a new access-list?


Correct Answer by Jon Marshall about 8 years 9 months ago

Said


I agree with Marwan but it does depend on your IOS version. You may find that when you do a "sh ip access-list" that the lines are not numbered in which case you would need to type out a new access-list and apply that because any lines you add to access-list 5 will appear at the end and this would not work for you as there would be a "permit any" before the new deny line you have added.


Jon

Correct Answer by Marwan ALshawi about 8 years 9 months ago

ofcourse u can

lets take this example


R2#sh ip access-lists


standard IP access list 5


10 deny 10.10.117.0 0.0.0.255


20 permit any


u can do like


R2(config)#ip access-list standard 5

R2(config-ext-nacl)#no 20 permit any R2(config-ext-nacl)#end


then start puting the deny statments as u want

like


(config)#access-list 5 deny 10.10.118.0 0.0.0.255

(config)#access-list 5 deny 10.10.119.0 0.0.0.255


then put ur permit


(config)#access-list 5 permit any



keep in mind that without the permit any in the end any thing not permited by ACL will be denied because there is default deny all (implicit deny) at the end of each ACL

so the permit any will solve it


good luck


please, if helpful Rate



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
Marwan ALshawi Mon, 08/25/2008 - 17:03
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

ofcourse u can

lets take this example


R2#sh ip access-lists


standard IP access list 5


10 deny 10.10.117.0 0.0.0.255


20 permit any


u can do like


R2(config)#ip access-list standard 5

R2(config-ext-nacl)#no 20 permit any R2(config-ext-nacl)#end


then start puting the deny statments as u want

like


(config)#access-list 5 deny 10.10.118.0 0.0.0.255

(config)#access-list 5 deny 10.10.119.0 0.0.0.255


then put ur permit


(config)#access-list 5 permit any



keep in mind that without the permit any in the end any thing not permited by ACL will be denied because there is default deny all (implicit deny) at the end of each ACL

so the permit any will solve it


good luck


please, if helpful Rate



saidfrh Tue, 08/26/2008 - 07:08
User Badges:

Before receiving your answers, I went ahead and added a deny statement and another permit any statement. I see that the last permit any statement does not show up. Based on your suggestions, I should remove 20 permit any (8245262 matches)

and add another permit any statement.


Kindly confirm. This is a production router.


Standard IP access list 5

10 deny 78.8.117.0, wildcard bits 0.0.0.255

20 permit any (8245262 matches)

30 deny 207.102.0.0, wildcard bits 0.0.255.255

40 deny 207.103.0.0, wildcard bits 0.0.255.255

50 deny 58.0.0.0, wildcard bits 0.255.255.255

Marwan ALshawi Tue, 08/26/2008 - 07:16
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

yes,


access-list stabdard 5

no 20 permit any


Correct Answer
Jon Marshall Tue, 08/26/2008 - 04:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Said


I agree with Marwan but it does depend on your IOS version. You may find that when you do a "sh ip access-list" that the lines are not numbered in which case you would need to type out a new access-list and apply that because any lines you add to access-list 5 will appear at the end and this would not work for you as there would be a "permit any" before the new deny line you have added.


Jon

Marwan ALshawi Tue, 08/26/2008 - 05:05
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

but based on this simple ACL

if u do


no access-list 5 permit any


then start to put ur deny lines then put

the access-list 5 permit any line again at the end!!

Jon Marshall Tue, 08/26/2008 - 07:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Marwan


Agreed you can do this but it also depends on your IOS version. A while back a numbered acl could not be edited in place ie. you had to remove the acl, edit it, and apply it again.


IOS behaviour now is to allow numbered access-lists to be edited.


See this thread which goes into more detail.


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc04c4a/4#selected_message


Jon

saidfrh Tue, 08/26/2008 - 07:51
User Badges:

Jon,

So based on the below, a 'no 20 permit any' should be added and immediately followed by a '60 permit any' needs to be added?


10 deny 78.8.117.0, wildcard bits 0.0.0.255

20 permit any (8245262 matches)

30 deny 207.102.0.0, wildcard bits 0.0.255.255

40 deny 207.103.0.0, wildcard bits 0.0.255.255

50 deny 58.0.0.0, wildcard bits 0.255.255.255


Jon Marshall Tue, 08/26/2008 - 10:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Said


Yes that will do it. Put the 2 lines into a text-editor, make sure you are happy with them and then cut and paste onto the router.


Make sure that if you have telnetted to the router that you telnetted to an interface that this access-list is not applied to. If you are on the console no problem.


Jon

Actions

This Discussion