Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
0
Helpful
5
Replies

Access-list

hassan_syed6
Level 1
Level 1

‎11-06-2006 01:09 PM - edited ‎03-03-2019 02:36 PM

Hello,

I have a very basic question.

Let's say you have access-list defined on your Router and you have not put it under the interface ( WAN/LAN) as a access-group or not invoking it throug route-maps. So now when a packet comes into the router wouldn't the router check the access-list define to see whether is there anything defined for that Packet.

I was talking to a colleague and according to him even if you have many access-list defined on your Router and you don't have those access-list defined under any interface or invoking it through route-maps then those access-lists are useless. My thing was no even if those access-lists are defined but not being invoked, router will still check them out.

I hope i am clear in my question..

Labels:
0 Helpful
5 Replies 5

christianjkoch
Level 1
Level 1

‎11-06-2006 01:19 PM

if the acl is not attached to an interface nothing will be checked.

0 Helpful

smothuku
Level 7
Level 7

‎11-06-2006 03:06 PM

Hi ,

Yes , you are correct. Creating access-list without applying to any interface is useless.

you can apply up to two access lists to an interface: one inbound access list and one outbound access list. With other protocols, you apply only one access list which checks both inbound and outbound packets.

If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.

If the access list is outbound, after receiving and routing a packet to the outbound interface, the software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

IMP : *****Access lists that are applied to interfaces do not filter traffic that originates from that router. *****

Hope it clarifies you.

Thanks,

satish

0 Helpful

jackyoung
Level 6
Level 6
In response to smothuku

‎11-06-2006 10:44 PM

In additional to Satish's post, you can use route-map to group the access-list and apply to the interface.

Hope this helps.

0 Helpful

hassan_syed6
Level 1
Level 1
In response to jackyoung

‎11-07-2006 06:02 AM

Hello,

Thanks for all the replies. Now i have one confusion, which is as follows.

This is clear to me now, no matter how many access-list's are defined in the router but if the access-lists are not getting invoked then it's useless. I have the following access-list defined on the router

access-list 101 permit tcp any eq telnet any

I do not have this telnet access-list defined under vty 0 4, as "access-class 101 in". So how come i am able to telnet even though it's not under vty 0 4. Sorry for asking these basic/stupid questions.

Following is what i have for vty 0 4

line vty 0 4

password cisco

login

Regards,

Hassan.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to hassan_syed6

‎11-07-2006 10:12 AM

Hassan

The config that you have posted has no restriction on the ability to telnet to the router. So anyone will be able to telnet to the router (as long as they know the password that is configured). Even if the access list had deny any any instead of permit any any it would not restrict telnet access unless it is applied to the vty ports.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card