Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access-list on router

An access-list has been configured on a router to block an IP address. Can can additional IP addresses be added to the original access-list at a later time?

ex.

(config)#access-list 5 deny 10.10.117.0 0.0.0.255

(config)#access-list 5 permit any

Can we use access-list 5 to block additional IPs or do we have to create a new access-list?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: access-list on router

ofcourse u can

lets take this example

R2#sh ip access-lists

standard IP access list 5

10 deny 10.10.117.0 0.0.0.255

20 permit any

u can do like

R2(config)#ip access-list standard 5

R2(config-ext-nacl)#no 20 permit any R2(config-ext-nacl)#end

then start puting the deny statments as u want

like

(config)#access-list 5 deny 10.10.118.0 0.0.0.255

(config)#access-list 5 deny 10.10.119.0 0.0.0.255

then put ur permit

(config)#access-list 5 permit any

keep in mind that without the permit any in the end any thing not permited by ACL will be denied because there is default deny all (implicit deny) at the end of each ACL

so the permit any will solve it

good luck

please, if helpful Rate

Hall of Fame Super Blue

Re: access-list on router

Said

I agree with Marwan but it does depend on your IOS version. You may find that when you do a "sh ip access-list" that the lines are not numbered in which case you would need to type out a new access-list and apply that because any lines you add to access-list 5 will appear at the end and this would not work for you as there would be a "permit any" before the new deny line you have added.

Jon

9 REPLIES

Re: access-list on router

ofcourse u can

lets take this example

R2#sh ip access-lists

standard IP access list 5

10 deny 10.10.117.0 0.0.0.255

20 permit any

u can do like

R2(config)#ip access-list standard 5

R2(config-ext-nacl)#no 20 permit any R2(config-ext-nacl)#end

then start puting the deny statments as u want

like

(config)#access-list 5 deny 10.10.118.0 0.0.0.255

(config)#access-list 5 deny 10.10.119.0 0.0.0.255

then put ur permit

(config)#access-list 5 permit any

keep in mind that without the permit any in the end any thing not permited by ACL will be denied because there is default deny all (implicit deny) at the end of each ACL

so the permit any will solve it

good luck

please, if helpful Rate

New Member

Re: access-list on router

Before receiving your answers, I went ahead and added a deny statement and another permit any statement. I see that the last permit any statement does not show up. Based on your suggestions, I should remove 20 permit any (8245262 matches)

and add another permit any statement.

Kindly confirm. This is a production router.

Standard IP access list 5

10 deny 78.8.117.0, wildcard bits 0.0.0.255

20 permit any (8245262 matches)

30 deny 207.102.0.0, wildcard bits 0.0.255.255

40 deny 207.103.0.0, wildcard bits 0.0.255.255

50 deny 58.0.0.0, wildcard bits 0.255.255.255

Re: access-list on router

yes,

access-list stabdard 5

no 20 permit any

New Member

Re: access-list on router

Thank you. It worked.

Hall of Fame Super Blue

Re: access-list on router

Said

I agree with Marwan but it does depend on your IOS version. You may find that when you do a "sh ip access-list" that the lines are not numbered in which case you would need to type out a new access-list and apply that because any lines you add to access-list 5 will appear at the end and this would not work for you as there would be a "permit any" before the new deny line you have added.

Jon

Re: access-list on router

but based on this simple ACL

if u do

no access-list 5 permit any

then start to put ur deny lines then put

the access-list 5 permit any line again at the end!!

Hall of Fame Super Blue

Re: access-list on router

Marwan

Agreed you can do this but it also depends on your IOS version. A while back a numbered acl could not be edited in place ie. you had to remove the acl, edit it, and apply it again.

IOS behaviour now is to allow numbered access-lists to be edited.

See this thread which goes into more detail.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc04c4a/4#selected_message

Jon

New Member

Re: access-list on router

Jon,

So based on the below, a 'no 20 permit any' should be added and immediately followed by a '60 permit any' needs to be added?

10 deny 78.8.117.0, wildcard bits 0.0.0.255

20 permit any (8245262 matches)

30 deny 207.102.0.0, wildcard bits 0.0.255.255

40 deny 207.103.0.0, wildcard bits 0.0.255.255

50 deny 58.0.0.0, wildcard bits 0.255.255.255

Hall of Fame Super Blue

Re: access-list on router

Said

Yes that will do it. Put the 2 lines into a text-editor, make sure you are happy with them and then cut and paste onto the router.

Make sure that if you have telnetted to the router that you telnetted to an interface that this access-list is not applied to. If you are on the console no problem.

Jon

273
Views
10
Helpful
9
Replies