ACL

Answered Question
Apr 18th, 2008

A router is running "c7200-advsecurityk9-mz.124-11.T.bin" We have few hundred ACLs in our router. Every time when adding one acl we need to delete first because there is deny any at the end. Is there any ways to be easier to manage those acl? just simply add one acl without deleting existing acl.

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 8 years 7 months ago

And I just noticed another new behavior and you don't need to migrated to 'named' ACLs.

Here is my current ACL:

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 deny ip any any

Now, I want to add an additional entry before deny ip any any....

Rack1R4#show ip access-list

Extended IP access list 101

10 permit ip host 1.1.1.1 host 2.2.2.2

20 permit ip host 1.1.1.1 host 3.3.3.3

25 permit ip host 1.1.1.1 host 4.4.4.4

30 deny ip any any

Rack1R4#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R4(config)#ip access-list extended 101

Rack1R4(config-ext-nacl)#26 permit ip host 1.1.1.1 host 5.5.5.5

Rack1R4(config-ext-nacl)#do show run | sec 101

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 permit ip host 1.1.1.1 host 5.5.5.5

access-list 101 deny ip any any

__

Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Edison Ortiz Fri, 04/18/2008 - 07:59

instead of using 'numbered' ACLs, you should migrate to 'named' ACLs.

Example, here is an 'named' ACL with a deny at the end:

sh run | sec NETPRO

ip access-list extended NETPRO

permit ip host 1.1.1.1 host 2.2.2.2

permit ip host 1.1.1.1 host 3.3.3.3

deny ip any any

If I wanted to insert an entry before the deny any any...

Rack1R4#show ip access-lists NETPRO

Extended IP access list NETPRO

10 permit ip host 1.1.1.1 host 2.2.2.2

20 permit ip host 1.1.1.1 host 3.3.3.3

30 deny ip any any

Rack1R4#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R4(config)#ip access-list extended NETPRO

Rack1R4(config-ext-nacl)#25 permit ip host 1.1.1.1 host 4.4.4.4

Rack1R4(config-ext-nacl)#do show run | sec NETPRO

ip access-list extended NETPRO

permit ip host 1.1.1.1 host 2.2.2.2

permit ip host 1.1.1.1 host 3.3.3.3

permit ip host 1.1.1.1 host 4.4.4.4

deny ip any any

HTH,

__

Edison.

sundar.palaniappan Fri, 04/18/2008 - 08:03

You should be able to delete the entries in the ACL by using sequence #s without having to delete the whole ACL modify and put it back.

Here you go.

R1#show access-list 100

Extended IP access list 100

10 permit ip 172.16.1.0 0.0.0.255 150.50.0.0 0.0.255.255 (2 matches)

20 permit ip 192.168.1.0 0.0.0.255 150.50.0.0 0.0.255.255

R1#config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#ip access-list ext 100

R1(config-ext-nacl)#no 20

R1(config-ext-nacl)#end

R1#show access-list 100

Extended IP access list 100

10 permit ip 172.16.1.0 0.0.0.255 150.50.0.0 0.0.255.255 (2 matches)

HTH

Sundar

Edit: I just noticed Edison responded to this as well. It wasn't possible a while ago before but you can use numbered ACL to remove or add sequence #s for sometime now.

Correct Answer
Edison Ortiz Fri, 04/18/2008 - 08:06

And I just noticed another new behavior and you don't need to migrated to 'named' ACLs.

Here is my current ACL:

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 deny ip any any

Now, I want to add an additional entry before deny ip any any....

Rack1R4#show ip access-list

Extended IP access list 101

10 permit ip host 1.1.1.1 host 2.2.2.2

20 permit ip host 1.1.1.1 host 3.3.3.3

25 permit ip host 1.1.1.1 host 4.4.4.4

30 deny ip any any

Rack1R4#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R4(config)#ip access-list extended 101

Rack1R4(config-ext-nacl)#26 permit ip host 1.1.1.1 host 5.5.5.5

Rack1R4(config-ext-nacl)#do show run | sec 101

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 permit ip host 1.1.1.1 host 5.5.5.5

access-list 101 deny ip any any

__

Edison.

kzhen Fri, 04/18/2008 - 10:14

Edison,

it really helps. How can you get those info about ACL?

thanks,

Ken

Edison Ortiz Fri, 04/18/2008 - 10:46

Ken,

The first iteration I learned during my CCNP studies and on the job.

The last iteration I learned it today while playing with my gear for this very same post :)

Thanks for the rating and good luck !

Actions

This Discussion