11-06-2006 01:09 PM - edited 03-03-2019 02:36 PM
Hello,
I have a very basic question.
Let's say you have access-list defined on your Router and you have not put it under the interface ( WAN/LAN) as a access-group or not invoking it throug route-maps. So now when a packet comes into the router wouldn't the router check the access-list define to see whether is there anything defined for that Packet.
I was talking to a colleague and according to him even if you have many access-list defined on your Router and you don't have those access-list defined under any interface or invoking it through route-maps then those access-lists are useless. My thing was no even if those access-lists are defined but not being invoked, router will still check them out.
I hope i am clear in my question..
11-06-2006 01:19 PM
if the acl is not attached to an interface nothing will be checked.
11-06-2006 03:06 PM
Hi ,
Yes , you are correct. Creating access-list without applying to any interface is useless.
you can apply up to two access lists to an interface: one inbound access list and one outbound access list. With other protocols, you apply only one access list which checks both inbound and outbound packets.
If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.
If the access list is outbound, after receiving and routing a packet to the outbound interface, the software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
IMP : *****Access lists that are applied to interfaces do not filter traffic that originates from that router. *****
Hope it clarifies you.
Thanks,
satish
11-06-2006 10:44 PM
In additional to Satish's post, you can use route-map to group the access-list and apply to the interface.
Hope this helps.
11-07-2006 06:02 AM
Hello,
Thanks for all the replies. Now i have one confusion, which is as follows.
This is clear to me now, no matter how many access-list's are defined in the router but if the access-lists are not getting invoked then it's useless. I have the following access-list defined on the router
access-list 101 permit tcp any eq telnet any
I do not have this telnet access-list defined under vty 0 4, as "access-class 101 in". So how come i am able to telnet even though it's not under vty 0 4. Sorry for asking these basic/stupid questions.
Following is what i have for vty 0 4
line vty 0 4
password cisco
login
Regards,
Hassan.
11-07-2006 10:12 AM
Hassan
The config that you have posted has no restriction on the ability to telnet to the router. So anyone will be able to telnet to the router (as long as they know the password that is configured). Even if the access list had deny any any instead of permit any any it would not restrict telnet access unless it is applied to the vty ports.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide