how to configure Access-list between line ?

Answered Question
Aug 17th, 2010
User Badges:

Dear All,


I would like to ask you about how to configure Access-list between line 1 and line 2 let me show detail as below:


i have access-list as below and i want to add one access-list between 192.168.1.0 and 192.168.2.0

which command that we can do this?



ip access-list extended ACL_Coreswitch
deny   ip any 192.168.52.0 0.0.0.255
permit ip 192.168.27.0 0.0.0.255 192.168.1.0 0.0.0.255

##########
permit ip 192.168.27.0 0.0.0.255 192.168.2.0 0.0.0.255
deny   ip 192.168.27.0 0.0.0.255 192.168.3.0 0.0.0.255
deny   ip 192.168.27.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip any any




i mean that


ip access-list extended ACL_Coreswitch
  deny   ip any 192.168.52.0 0.0.0.255
  permit ip 192.168.27.0 0.0.0.255 192.168.1.0 0.0.0.255

-------

permit ip 192.168.27.0 0.0.0.255 192.168.90.0 0.0.0.255


--------

permit ip 192.168.27.0 0.0.0.255 192.168.2.0 0.0.0.255
deny   ip 192.168.27.0 0.0.0.255 192.168.3.0 0.0.0.255
deny   ip 192.168.27.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip any any



Best Regards,

Rechard

Correct Answer by Jerry Ye about 6 years 7 months ago

My first question is what is the IOS version?


You can look at the sequence number of the ACL and then modify it accordingly. Here is the example I did in my lab with your config:


Rack1R1#sh ip access-list
Extended IP access list ACL_Coreswitch
    10 deny ip any 192.168.52.0 0.0.0.255
    20 permit ip 192.168.27.0 0.0.0.255 192.168.1.0 0.0.0.255
    30 permit ip 192.168.27.0 0.0.0.255 192.168.2.0 0.0.0.255
    40 deny ip 192.168.27.0 0.0.0.255 192.168.3.0 0.0.0.255
    50 deny ip 192.168.27.0 0.0.0.255 192.168.5.0 0.0.0.255
    60 permit ip any any

Rack1R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Rack1R1(config)#ip access-list ex ACL_Coreswitch
Rack1R1(config-ext-nacl)#25 perm ip 100.100.100.0 0.0.0.255 100.100.100.0 0.0.0.255   
Rack1R1(config-ext-nacl)#exit

Rack1R1#sh ip access-list
Extended IP access list ACL_Coreswitch
    10 deny ip any 192.168.52.0 0.0.0.255
    20 permit ip 192.168.27.0 0.0.0.255 192.168.1.0 0.0.0.255
    25 permit ip 100.100.100.0 0.0.0.255 100.100.100.0 0.0.0.255
    30 permit ip 192.168.27.0 0.0.0.255 192.168.2.0 0.0.0.255
    40 deny ip 192.168.27.0 0.0.0.255 192.168.3.0 0.0.0.255
    50 deny ip 192.168.27.0 0.0.0.255 192.168.5.0 0.0.0.255
    60 permit ip any any


I believe you can do this after IOS 12.2(14)S, 12.2(15)T, 12.2(33)SRA, 12.2SX.


HTH,

jerry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jerry Ye Tue, 08/17/2010 - 18:44
User Badges:
  • Cisco Employee,

My first question is what is the IOS version?


You can look at the sequence number of the ACL and then modify it accordingly. Here is the example I did in my lab with your config:


Rack1R1#sh ip access-list
Extended IP access list ACL_Coreswitch
    10 deny ip any 192.168.52.0 0.0.0.255
    20 permit ip 192.168.27.0 0.0.0.255 192.168.1.0 0.0.0.255
    30 permit ip 192.168.27.0 0.0.0.255 192.168.2.0 0.0.0.255
    40 deny ip 192.168.27.0 0.0.0.255 192.168.3.0 0.0.0.255
    50 deny ip 192.168.27.0 0.0.0.255 192.168.5.0 0.0.0.255
    60 permit ip any any

Rack1R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Rack1R1(config)#ip access-list ex ACL_Coreswitch
Rack1R1(config-ext-nacl)#25 perm ip 100.100.100.0 0.0.0.255 100.100.100.0 0.0.0.255   
Rack1R1(config-ext-nacl)#exit

Rack1R1#sh ip access-list
Extended IP access list ACL_Coreswitch
    10 deny ip any 192.168.52.0 0.0.0.255
    20 permit ip 192.168.27.0 0.0.0.255 192.168.1.0 0.0.0.255
    25 permit ip 100.100.100.0 0.0.0.255 100.100.100.0 0.0.0.255
    30 permit ip 192.168.27.0 0.0.0.255 192.168.2.0 0.0.0.255
    40 deny ip 192.168.27.0 0.0.0.255 192.168.3.0 0.0.0.255
    50 deny ip 192.168.27.0 0.0.0.255 192.168.5.0 0.0.0.255
    60 permit ip any any


I believe you can do this after IOS 12.2(14)S, 12.2(15)T, 12.2(33)SRA, 12.2SX.


HTH,

jerry

Actions

This Discussion