access-list on router

Answered Question
Aug 25th, 2008

An access-list has been configured on a router to block an IP address. Can can additional IP addresses be added to the original access-list at a later time?

ex.

(config)#access-list 5 deny 10.10.117.0 0.0.0.255

(config)#access-list 5 permit any

Can we use access-list 5 to block additional IPs or do we have to create a new access-list?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 4 months ago

Said

I agree with Marwan but it does depend on your IOS version. You may find that when you do a "sh ip access-list" that the lines are not numbered in which case you would need to type out a new access-list and apply that because any lines you add to access-list 5 will appear at the end and this would not work for you as there would be a "permit any" before the new deny line you have added.

Jon

Correct Answer by Marwan ALshawi about 8 years 4 months ago

ofcourse u can

lets take this example

R2#sh ip access-lists

standard IP access list 5

10 deny 10.10.117.0 0.0.0.255

20 permit any

u can do like

R2(config)#ip access-list standard 5

R2(config-ext-nacl)#no 20 permit any R2(config-ext-nacl)#end

then start puting the deny statments as u want

like

(config)#access-list 5 deny 10.10.118.0 0.0.0.255

(config)#access-list 5 deny 10.10.119.0 0.0.0.255

then put ur permit

(config)#access-list 5 permit any

keep in mind that without the permit any in the end any thing not permited by ACL will be denied because there is default deny all (implicit deny) at the end of each ACL

so the permit any will solve it

good luck

please, if helpful Rate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
Marwan ALshawi Mon, 08/25/2008 - 17:03

ofcourse u can

lets take this example

R2#sh ip access-lists

standard IP access list 5

10 deny 10.10.117.0 0.0.0.255

20 permit any

u can do like

R2(config)#ip access-list standard 5

R2(config-ext-nacl)#no 20 permit any R2(config-ext-nacl)#end

then start puting the deny statments as u want

like

(config)#access-list 5 deny 10.10.118.0 0.0.0.255

(config)#access-list 5 deny 10.10.119.0 0.0.0.255

then put ur permit

(config)#access-list 5 permit any

keep in mind that without the permit any in the end any thing not permited by ACL will be denied because there is default deny all (implicit deny) at the end of each ACL

so the permit any will solve it

good luck

please, if helpful Rate

saidfrh Tue, 08/26/2008 - 07:08

Before receiving your answers, I went ahead and added a deny statement and another permit any statement. I see that the last permit any statement does not show up. Based on your suggestions, I should remove 20 permit any (8245262 matches)

and add another permit any statement.

Kindly confirm. This is a production router.

Standard IP access list 5

10 deny 78.8.117.0, wildcard bits 0.0.0.255

20 permit any (8245262 matches)

30 deny 207.102.0.0, wildcard bits 0.0.255.255

40 deny 207.103.0.0, wildcard bits 0.0.255.255

50 deny 58.0.0.0, wildcard bits 0.255.255.255

Correct Answer
Jon Marshall Tue, 08/26/2008 - 04:58

Said

I agree with Marwan but it does depend on your IOS version. You may find that when you do a "sh ip access-list" that the lines are not numbered in which case you would need to type out a new access-list and apply that because any lines you add to access-list 5 will appear at the end and this would not work for you as there would be a "permit any" before the new deny line you have added.

Jon

Marwan ALshawi Tue, 08/26/2008 - 05:05

but based on this simple ACL

if u do

no access-list 5 permit any

then start to put ur deny lines then put

the access-list 5 permit any line again at the end!!

Jon Marshall Tue, 08/26/2008 - 07:32

Marwan

Agreed you can do this but it also depends on your IOS version. A while back a numbered acl could not be edited in place ie. you had to remove the acl, edit it, and apply it again.

IOS behaviour now is to allow numbered access-lists to be edited.

See this thread which goes into more detail.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc04c4a/4#selected_message

Jon

saidfrh Tue, 08/26/2008 - 07:51

Jon,

So based on the below, a 'no 20 permit any' should be added and immediately followed by a '60 permit any' needs to be added?

10 deny 78.8.117.0, wildcard bits 0.0.0.255

20 permit any (8245262 matches)

30 deny 207.102.0.0, wildcard bits 0.0.255.255

40 deny 207.103.0.0, wildcard bits 0.0.255.255

50 deny 58.0.0.0, wildcard bits 0.255.255.255

Jon Marshall Tue, 08/26/2008 - 10:10

Said

Yes that will do it. Put the 2 lines into a text-editor, make sure you are happy with them and then cut and paste onto the router.

Make sure that if you have telnetted to the router that you telnetted to an interface that this access-list is not applied to. If you are on the console no problem.

Jon

Actions

This Discussion