cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
870
Views
10
Helpful
9
Replies

access-list on router

saidfrh
Level 1
Level 1

An access-list has been configured on a router to block an IP address. Can can additional IP addresses be added to the original access-list at a later time?

ex.

(config)#access-list 5 deny 10.10.117.0 0.0.0.255

(config)#access-list 5 permit any

Can we use access-list 5 to block additional IPs or do we have to create a new access-list?

2 Accepted Solutions

Accepted Solutions

Marwan ALshawi
VIP Alumni
VIP Alumni

ofcourse u can

lets take this example

R2#sh ip access-lists

standard IP access list 5

10 deny 10.10.117.0 0.0.0.255

20 permit any

u can do like

R2(config)#ip access-list standard 5

R2(config-ext-nacl)#no 20 permit any R2(config-ext-nacl)#end

then start puting the deny statments as u want

like

(config)#access-list 5 deny 10.10.118.0 0.0.0.255

(config)#access-list 5 deny 10.10.119.0 0.0.0.255

then put ur permit

(config)#access-list 5 permit any

keep in mind that without the permit any in the end any thing not permited by ACL will be denied because there is default deny all (implicit deny) at the end of each ACL

so the permit any will solve it

good luck

please, if helpful Rate

View solution in original post

Jon Marshall
Hall of Fame
Hall of Fame

Said

I agree with Marwan but it does depend on your IOS version. You may find that when you do a "sh ip access-list" that the lines are not numbered in which case you would need to type out a new access-list and apply that because any lines you add to access-list 5 will appear at the end and this would not work for you as there would be a "permit any" before the new deny line you have added.

Jon

View solution in original post

9 Replies 9

Marwan ALshawi
VIP Alumni
VIP Alumni

ofcourse u can

lets take this example

R2#sh ip access-lists

standard IP access list 5

10 deny 10.10.117.0 0.0.0.255

20 permit any

u can do like

R2(config)#ip access-list standard 5

R2(config-ext-nacl)#no 20 permit any R2(config-ext-nacl)#end

then start puting the deny statments as u want

like

(config)#access-list 5 deny 10.10.118.0 0.0.0.255

(config)#access-list 5 deny 10.10.119.0 0.0.0.255

then put ur permit

(config)#access-list 5 permit any

keep in mind that without the permit any in the end any thing not permited by ACL will be denied because there is default deny all (implicit deny) at the end of each ACL

so the permit any will solve it

good luck

please, if helpful Rate

Before receiving your answers, I went ahead and added a deny statement and another permit any statement. I see that the last permit any statement does not show up. Based on your suggestions, I should remove 20 permit any (8245262 matches)

and add another permit any statement.

Kindly confirm. This is a production router.

Standard IP access list 5

10 deny 78.8.117.0, wildcard bits 0.0.0.255

20 permit any (8245262 matches)

30 deny 207.102.0.0, wildcard bits 0.0.255.255

40 deny 207.103.0.0, wildcard bits 0.0.255.255

50 deny 58.0.0.0, wildcard bits 0.255.255.255

yes,

access-list stabdard 5

no 20 permit any

Thank you. It worked.

Jon Marshall
Hall of Fame
Hall of Fame

Said

I agree with Marwan but it does depend on your IOS version. You may find that when you do a "sh ip access-list" that the lines are not numbered in which case you would need to type out a new access-list and apply that because any lines you add to access-list 5 will appear at the end and this would not work for you as there would be a "permit any" before the new deny line you have added.

Jon

Marwan ALshawi
VIP Alumni
VIP Alumni

but based on this simple ACL

if u do

no access-list 5 permit any

then start to put ur deny lines then put

the access-list 5 permit any line again at the end!!

Marwan

Agreed you can do this but it also depends on your IOS version. A while back a numbered acl could not be edited in place ie. you had to remove the acl, edit it, and apply it again.

IOS behaviour now is to allow numbered access-lists to be edited.

See this thread which goes into more detail.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc04c4a/4#selected_message

Jon

Jon,

So based on the below, a 'no 20 permit any' should be added and immediately followed by a '60 permit any' needs to be added?

10 deny 78.8.117.0, wildcard bits 0.0.0.255

20 permit any (8245262 matches)

30 deny 207.102.0.0, wildcard bits 0.0.255.255

40 deny 207.103.0.0, wildcard bits 0.0.255.255

50 deny 58.0.0.0, wildcard bits 0.255.255.255

Said

Yes that will do it. Put the 2 lines into a text-editor, make sure you are happy with them and then cut and paste onto the router.

Make sure that if you have telnetted to the router that you telnetted to an interface that this access-list is not applied to. If you are on the console no problem.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: