ACL

Answered Question
Apr 18th, 2008
User Badges:

A router is running "c7200-advsecurityk9-mz.124-11.T.bin" We have few hundred ACLs in our router. Every time when adding one acl we need to delete first because there is deny any at the end. Is there any ways to be easier to manage those acl? just simply add one acl without deleting existing acl.

Correct Answer by Edison Ortiz about 8 years 11 months ago

And I just noticed another new behavior and you don't need to migrated to 'named' ACLs.


Here is my current ACL:


access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 deny ip any any


Now, I want to add an additional entry before deny ip any any....



Rack1R4#show ip access-list

Extended IP access list 101

10 permit ip host 1.1.1.1 host 2.2.2.2

20 permit ip host 1.1.1.1 host 3.3.3.3

25 permit ip host 1.1.1.1 host 4.4.4.4

30 deny ip any any

Rack1R4#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R4(config)#ip access-list extended 101

Rack1R4(config-ext-nacl)#26 permit ip host 1.1.1.1 host 5.5.5.5


Rack1R4(config-ext-nacl)#do show run | sec 101

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 permit ip host 1.1.1.1 host 5.5.5.5

access-list 101 deny ip any any


__


Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Edison Ortiz Fri, 04/18/2008 - 07:59
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

instead of using 'numbered' ACLs, you should migrate to 'named' ACLs.


Example, here is an 'named' ACL with a deny at the end:


sh run | sec NETPRO

ip access-list extended NETPRO

permit ip host 1.1.1.1 host 2.2.2.2

permit ip host 1.1.1.1 host 3.3.3.3

deny ip any any


If I wanted to insert an entry before the deny any any...



Rack1R4#show ip access-lists NETPRO

Extended IP access list NETPRO

10 permit ip host 1.1.1.1 host 2.2.2.2

20 permit ip host 1.1.1.1 host 3.3.3.3

30 deny ip any any

Rack1R4#conf t

Enter configuration commands, one per line. End with CNTL/Z.


Rack1R4(config)#ip access-list extended NETPRO

Rack1R4(config-ext-nacl)#25 permit ip host 1.1.1.1 host 4.4.4.4


Rack1R4(config-ext-nacl)#do show run | sec NETPRO

ip access-list extended NETPRO

permit ip host 1.1.1.1 host 2.2.2.2

permit ip host 1.1.1.1 host 3.3.3.3

permit ip host 1.1.1.1 host 4.4.4.4

deny ip any any


HTH,


__


Edison.


sundar.palaniappan Fri, 04/18/2008 - 08:03
User Badges:
  • Green, 3000 points or more

You should be able to delete the entries in the ACL by using sequence #s without having to delete the whole ACL modify and put it back.


Here you go.


R1#show access-list 100

Extended IP access list 100

10 permit ip 172.16.1.0 0.0.0.255 150.50.0.0 0.0.255.255 (2 matches)

20 permit ip 192.168.1.0 0.0.0.255 150.50.0.0 0.0.255.255


R1#config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#ip access-list ext 100

R1(config-ext-nacl)#no 20

R1(config-ext-nacl)#end


R1#show access-list 100

Extended IP access list 100

10 permit ip 172.16.1.0 0.0.0.255 150.50.0.0 0.0.255.255 (2 matches)


HTH


Sundar


Edit: I just noticed Edison responded to this as well. It wasn't possible a while ago before but you can use numbered ACL to remove or add sequence #s for sometime now.

Correct Answer
Edison Ortiz Fri, 04/18/2008 - 08:06
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

And I just noticed another new behavior and you don't need to migrated to 'named' ACLs.


Here is my current ACL:


access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 deny ip any any


Now, I want to add an additional entry before deny ip any any....



Rack1R4#show ip access-list

Extended IP access list 101

10 permit ip host 1.1.1.1 host 2.2.2.2

20 permit ip host 1.1.1.1 host 3.3.3.3

25 permit ip host 1.1.1.1 host 4.4.4.4

30 deny ip any any

Rack1R4#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R4(config)#ip access-list extended 101

Rack1R4(config-ext-nacl)#26 permit ip host 1.1.1.1 host 5.5.5.5


Rack1R4(config-ext-nacl)#do show run | sec 101

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 permit ip host 1.1.1.1 host 5.5.5.5

access-list 101 deny ip any any


__


Edison.

kzhen Fri, 04/18/2008 - 10:14
User Badges:

Edison,


it really helps. How can you get those info about ACL?


thanks,

Ken

Edison Ortiz Fri, 04/18/2008 - 10:46
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Ken,


The first iteration I learned during my CCNP studies and on the job.


The last iteration I learned it today while playing with my gear for this very same post :)


Thanks for the rating and good luck !



Actions

This Discussion