Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6112
Views
0
Helpful
4
Replies

access list using names instead of IPs

tachyon05
Level 1
Level 1

‎12-09-2009 03:50 PM

Is there a way to create acl using domain names instead of IPs/networks?  For example,

can I do something like

access-list 111 permit icmp host www.mycompany.org any echo

access-list 100 permit tcp any host www.1234.com

instead of

access-list 111 permit icmp host 4.3.2.1 any echo

access-list 100 permit tcp any 1.2.3.4 0.0.0.31

the main reason i would like to do this is so when company/site/server change their IP addresses, there would be no need to change the ACL.

2 people had this problem
Labels:
0 Helpful
4 Replies 4

sachinraja
Level 9
Level 9

‎12-14-2009 08:25 AM

Hi tachy

you have the "ip host" command on IOS devices which can statically map your hostname to an ip address. but the acl statements might not accept hostnames as the source or destination entries.

You can think implementing object-groups on routers and firewalls to achieve this (depends on the ios code you are running). With object groups, you can bundle IP addresses with a object-name and reference that on the access-list.. doing this, you dont need to change the acl entries everytime you change IP addresses, and you can just modify the object-group entries defined on the device.

Router# configure terminal


Router(config)# object-group network abc


Router(config-network-group)# host 1.1.1.1


Router(config-network-group)# host 2.2.2.2


Refer to CCO on the object-groups and you will find the exact configuration details. Hope this helps.. All the best...


Raj

0 Helpful

Mike Bailey
Level 1
Level 1

‎12-14-2009 02:03 PM

The access-list host functionality permits the use of a hostname as per:

     Router(config)#access-list 111 permit ip host ?
       Hostname or A.B.C.D  Source address

So assuming the router can resolve DNS then it should be possible to use a DNS host name in an ACL.

I've just tried the following and it seems to work:

     ip domain-lookup
     ip name-server 10.0.0.1

     !

     access-list 111 deny ip host 10.1.1.1 host www.bbc.co.uk

     !

     interface FastEthernet0/0

     ip access-group 111 out

     !

This blocked me connecting to www.bbc.co.uk from the client in question where I could before.

0 Helpful

sachinraja
Level 9
Level 9
In response to Mike Bailey

‎12-14-2009 02:33 PM

Mike is right. My bad. I missed the hostname parameter on the command line.. You can hence use the "ip host" command locally, or use DNS as Mike suggested. Object groups can be used, if the IOS supports it.

Thanks for the configs Mike.

Raj

0 Helpful

sraymond
Level 1
Level 1
In response to sachinraja

‎05-14-2010 12:19 PM

In my version of IOS 12.2(33)SXH4, one can input hostnames during the ACL configuration, but it immediately resolves those hostnames to IPs and inserts those into the output of "show run".  In other words, the hostnames are not preserved, which if I interpret the original post correctly, was the goal (IPs can dynamically change but are tied to permanent DNS records and thus ACLs not be changed).

Pertaining to this behavior, does IOS behave differently on different versions?  Am wondering if T-train would preserve the hostnames in ACL lines?

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents