Let's say you have access-list defined on your Router and you have not put it under the interface ( WAN/LAN) as a access-group or not invoking it throug route-maps. So now when a packet comes into the router wouldn't the router check the access-list define to see whether is there anything defined for that Packet.
I was talking to a colleague and according to him even if you have many access-list defined on your Router and you don't have those access-list defined under any interface or invoking it through route-maps then those access-lists are useless. My thing was no even if those access-lists are defined but not being invoked, router will still check them out.
Yes , you are correct. Creating access-list without applying to any interface is useless.
you can apply up to two access lists to an interface: one inbound access list and one outbound access list. With other protocols, you apply only one access list which checks both inbound and outbound packets.
If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.
If the access list is outbound, after receiving and routing a packet to the outbound interface, the software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
IMP : *****Access lists that are applied to interfaces do not filter traffic that originates from that router. *****
Thanks for all the replies. Now i have one confusion, which is as follows.
This is clear to me now, no matter how many access-list's are defined in the router but if the access-lists are not getting invoked then it's useless. I have the following access-list defined on the router
access-list 101 permit tcp any eq telnet any
I do not have this telnet access-list defined under vty 0 4, as "access-class 101 in". So how come i am able to telnet even though it's not under vty 0 4. Sorry for asking these basic/stupid questions.
The config that you have posted has no restriction on the ability to telnet to the router. So anyone will be able to telnet to the router (as long as they know the password that is configured). Even if the access list had deny any any instead of permit any any it would not restrict telnet access unless it is applied to the vty ports.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...