Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access-list Question

Status
Not open for further replies.
Microbyte

Microbyte

Technical User
Feb 20, 2003
223
US
Does router goes thru each line of particular access-list list until it reaches the bottom? or does the search stops when it finds a first match?

for example:

access-list 120 permit ip any any
access-list 120 deny tcp any any eq telnet

would the router gets to the 2nd deny tcp line?


And...how about this...can this be possible? If it is how would it affect the router?

access-list 120 permit ip any any
access-list 120 deny ip any any

what would happen in this case? This maybe stupid question, if it is I apolegize, but I am curious and bit confused.
Thanks.





Microbyte
[medal][medal][medal][medal]
 
Sort by date Sort by votes
Access-lists are processed from top down, with the first match principle.

Thus (in your first example) you would never get to the access-list 120 deny tcp any any eq telnet. In the second statement you would never get to the deny ip any any as all traffic is permitted above.

Also remember that there is an implicit deny ip any any at the end of every access-list. I've had to learn that fact the hardway. :)

Hope this helps.
 
Upvote 0 Downvote
hey its not the way u think ,
it gets stucked @ the 1st matching access-list it can lay its eyes on
then no processing goes from there.
i will advise using named access-lists so u can manipulate the way u want.
c-ya @ the hall of fame! :)
 
Upvote 0 Downvote
The last update is correct. The access luist is applied to the interface either incoming or outgoing. When the packeet goes through the router interface in teh desired direction the access list is applied. If there is a match the packet is either forwarded or denied as per line in access list to the explicit deny at the end.

Be careful on the layout of the access list. It goes down one by one until it gets a match. So if you allow all traffic through on 172.165.39.0 network then have a deny for 172.165.39.5 on the next line the packet will already have gone through. Take this into account when writing access lists.
 
Upvote 0 Downvote
Just a regard for specifying "ip" as a protocol in extended access-list - for router it means to look for any protocol that "runs" on IP - is TCP, UDP, all IP routing protocols, ICMP...

And never forget that any standard access-list has implicit "deny any" and extended "deny ip any any" rule as the last line, however it is not shown.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

djtech2k
  • Locked
  • Question
Study Questions for Comptia A+
Replies
0
Views
227
djtech2k
djtech2k
bnorton916
  • Locked
  • Question
Frame Relay Question
Replies
5
Views
183
burtsbees
burtsbees
NileshB
  • Locked
  • Question
Route Summarisation question
Replies
1
Views
109
lerdalt
lerdalt
admoore
  • Locked
  • Question
simple home lab question... 1
Replies
2
Views
125
OzzieGeorge
OzzieGeorge
C0mmUN1cAt0r
  • Locked
  • Question
ccna question - cisco netacad correct or cbt nuggets videos
Replies
4
Views
153
kishmbee
kishmbee

Part and Inventory Search

Sponsor

Back
Top