Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Access-list

Hello,

I have a very basic question.

Let's say you have access-list defined on your Router and you have not put it under the interface ( WAN/LAN) as a access-group or not invoking it throug route-maps. So now when a packet comes into the router wouldn't the router check the access-list define to see whether is there anything defined for that Packet.

I was talking to a colleague and according to him even if you have many access-list defined on your Router and you don't have those access-list defined under any interface or invoking it through route-maps then those access-lists are useless. My thing was no even if those access-lists are defined but not being invoked, router will still check them out.

I hope i am clear in my question..

5 REPLIES
New Member

Re: Access-list

if the acl is not attached to an interface nothing will be checked.

Silver

Re: Access-list

Hi ,

Yes , you are correct. Creating access-list without applying to any interface is useless.

you can apply up to two access lists to an interface: one inbound access list and one outbound access list. With other protocols, you apply only one access list which checks both inbound and outbound packets.

If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.

If the access list is outbound, after receiving and routing a packet to the outbound interface, the software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

IMP : *****Access lists that are applied to interfaces do not filter traffic that originates from that router. *****

Hope it clarifies you.

Thanks,

satish

Silver

Re: Access-list

In additional to Satish's post, you can use route-map to group the access-list and apply to the interface.

Hope this helps.

New Member

Re: Access-list

Hello,

Thanks for all the replies. Now i have one confusion, which is as follows.

This is clear to me now, no matter how many access-list's are defined in the router but if the access-lists are not getting invoked then it's useless. I have the following access-list defined on the router

access-list 101 permit tcp any eq telnet any

I do not have this telnet access-list defined under vty 0 4, as "access-class 101 in". So how come i am able to telnet even though it's not under vty 0 4. Sorry for asking these basic/stupid questions.

Following is what i have for vty 0 4

line vty 0 4

password cisco

login

Regards,

Hassan.

Hall of Fame Super Gold

Re: Access-list

Hassan

The config that you have posted has no restriction on the ability to telnet to the router. So anyone will be able to telnet to the router (as long as they know the password that is configured). Even if the access list had deny any any instead of permit any any it would not restrict telnet access unless it is applied to the vty ports.

HTH

Rick

313
Views
0
Helpful
5
Replies
CreatePlease to create content