[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ACLs Top-Down

Posted on 2011-10-24
21
Medium Priority
?
329 Views
Last Modified: 2012-06-22
RouterA(config)#access-list 1 deny 172.22.5.2 0.0.0.0
RouterA(config)#access-list 1 deny 172.22.5.3 0.0.0.0
RouterA(config)#access-list 1 permit any


Considering the above lines. If the first line is met then  the ACL process will stop and the 2 other Lines are ignored,
In case I want the 3 lines above to be applied, how do I make mt ACL(s) do that?

Thanks
0
Comment
Question by:jskfan
  • 8
  • 7
  • 5
  • +1
21 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 1144 total points
ID: 37016986
On the interface you want to apply this list to, give:

ip access-group <acl-number> in|out

So that should be:

RouterA(config)#access-list 1 deny 172.22.5.2 0.0.0.0
RouterA(config)#access-list 1 deny 172.22.5.3 0.0.0.0
RouterA(config)#access-list 1 permit any
RouterA(config)#interface e0/0
RouterA(config)#ip access-group 1 in

Or the interface you want to use it on.
0
 
LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 712 total points
ID: 37017092
the other option would be to use a named ACL. The advantage with named ACLs is that you don't have to remove, edit and then re-add it.  you can just type the sequence number and the permit/deny statement.

ip access-list standard ACL
deny host 172.22.5.2
deny host 172.22.5.3
permit any

interface fa0/1
ip access-group ACL <in/out>

0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 144 total points
ID: 37017607
>In case I want the 3 lines above to be applied, how do I make mt ACL(s) do that?

You want all three lines to be checked? Even if the first line is matched?

You can't.

Or are you asking how to apply the ACL to an interface?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:jskfan
ID: 37019559
deny host 172.22.5.2
deny host 172.22.5.3
permit any

for instance, I want all hosts from the network 172.22.5.0 to access a specif LAN through a router, except for the hosts .2 and .3

172.22.5.x----|Router1|---LAN
0
 
LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 712 total points
ID: 37019765
Then the sample configs above will work
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1144 total points
ID: 37019959
As said, you got it right from the start :)
0
 

Author Comment

by:jskfan
ID: 37029816
so when the first line is matched:
deny host 172.22.5.2

it will still go to the next 2 lines ???

0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1144 total points
ID: 37029885
No, it stops processing the list.
If I remember correctly we discussed that in one of your other questions, didn't we?
0
 

Author Comment

by:jskfan
ID: 37029985
in one side You are saying it stops on the first line.
in the other side when I asked :

"I want all hosts from the network 172.22.5.0 to access a specif LAN through a router, except for the hosts .2 and .3 "

you said  this will do the job:
deny host 172.22.5.2
deny host 172.22.5.3
permit any


So how does it go to the second then 3rd line, if it stops on the 1st line as you stated ???


0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1144 total points
ID: 37030101
When will it stop on the first line: when host 172.22.5.2 connects (match).
When will it stop on the second line: when host 172.22.5.3 connects (match).
When will it stop on the third line: when any other host connects.

Do you see the principle behind it?
0
 
LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 712 total points
ID: 37030140
Only an exact match will be denied. So if ip address 172.22.5.4 was to access the LAN the router first checks the first statement...does it match? No, go to the next line...does it match? No, go to the next line... does it match? Yes, action permit.
0
 

Author Comment

by:jskfan
ID: 37036166
deny host 172.22.5.2
deny host 172.22.5.3
permit any

Let me be clear of my understanding:

if a Host with IP address 172.22.5.2 is trying to access the Nework where the Access list [ip access-list standard ACL] is applied then.
the host 172.22.5.2 will be denied. Correct ?

If a Host with IP 172.22.5.3 is trying to access the nework, it will be denied too

all other hosts will be allowed.

So if my statement is correct ,then the ACL is checking each condition, even though it is not at the same second , but at each attempt that a host with a certain IP tries to get into the network.
 
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1144 total points
ID: 37036454
If I read that correct then you are right.
Every connection attempt is checked against the access list (on the interface where the attempt is being made). So for every attempt the access list is checked top-down until there is a match.
0
 
LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 712 total points
ID: 37036496
I may have read that differently than erniebeek.

It checks each condition until a condition is met and then stops.  take the following configuration for example.

deny host 172.22.5.2
permit any any
deny host 172.22.5.3
permit any

In this scenario if host 172.22.5.2 tries to access the network he will be denied as he is first in the list.  Now if 172.22.5.3 tries to connect to the network he will be permitted even though there is a deny statement in tha ACL.  this is because he matches the any any statement which is placed before the deny host 172.22.5.3 statement.

So the device checks each statement top - down, one by one, until a match is found and then performs the action associated with that statement and then stops.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1144 total points
ID: 37036652
@MAG03: I think I see what you mean. Jskfan's comment implies that every ACE is checked while, as we stated, they are checked top-down until there is a match (and the rest isn't checked).
0
 

Author Comment

by:jskfan
ID: 37036949
deny host 172.22.5.2
permit any any
deny host 172.22.5.3
permit any

MAG03:
in real world I dont think you set up the access list the way you it shown above

I believe you always start with Deny even if it takes 3,4,5 lines, then follow up with permit.

if you start with Permit :
Permit host 172.22.5.2
Permit host 172.22.5.3

I don't think the second lin e[Permit host 172.22.5.3] will not be checked, otherwise the host  172.22.5.3 will never have access to the Network.


then at the end the implicit Deny will always apply
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1144 total points
ID: 37036965
In real world you wouldn't (though it sometimes happens :). This was just being used as an example.
0
 

Author Comment

by:jskfan
ID: 37037002
So here:

ip access-list standard ACL
Permit host 172.22.5.2
Permit host 172.22.5.3


host 172.22.5.2  will access the network
host 172.22.5.3  will access the network

The rest will be denied

Correct???


0
 
LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 712 total points
ID: 37037073
As erniebeek has already said that was an example. hehe.

As per your last post, yes those two ip addresses will be permited...all else is denied
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1144 total points
ID: 37037098
Yup (through the implicit deny all).

Looks like we're getting there (?)
0
 

Author Closing Comment

by:jskfan
ID: 37043059
Thanks
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question