×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Re: router priority updated via ACL

Answered Question
Feb 8th, 2006
User Badges:

Thanks in Advance.


I've been experiencing minor issues being able to add new access list ot a route that is running version 11.3 on a 2600 router.


Here is and example:


access-list 101 permit tcp 100.100.100.100


access-list 101 permit tcp 100.100.100.100


access-list 101 permit tcp 100.100.100.123


access-list 101 permit tcp 100.100.100.122


access-list 101 permit tcp 100.100.100.111

access-list 101 permit tcp 100.100.100.116


access-list 101 deny tcp any any


Problem: I am un able to add new acl's without having to rewrite the table. If I add the new 101 line it places the new permit entry on the bottom of the list. How can add this line before the deny line?


-fz

Correct Answer by pkhatri about 11 years 6 months ago

Hi,


That is how numbered ACLs work - every time you add an entry, it gets added to the bottom of the list. One option is to delete the whole ACL and re-enter it as you want (with all the original lines included as well).


The other option is to use named IP ACLs. An example follows:


ip access-list extended MyACL

10 permit tcp host 100.100.100.100 any

20 permit tcp host 100.100.100.123 any

30 deny tcp any any


With named ACLs, you can use the 'no' command to selectively remove entries. In addition, a sequence number can be specified for the entries, allowing you to enter new entries between existing ones.


Hope that helps - pls rate the post if it does.


Paresh


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
pkhatri Wed, 02/08/2006 - 14:19
User Badges:
  • Purple, 4500 points or more

Hi,


That is how numbered ACLs work - every time you add an entry, it gets added to the bottom of the list. One option is to delete the whole ACL and re-enter it as you want (with all the original lines included as well).


The other option is to use named IP ACLs. An example follows:


ip access-list extended MyACL

10 permit tcp host 100.100.100.100 any

20 permit tcp host 100.100.100.123 any

30 deny tcp any any


With named ACLs, you can use the 'no' command to selectively remove entries. In addition, a sequence number can be specified for the entries, allowing you to enter new entries between existing ones.


Hope that helps - pls rate the post if it does.


Paresh


zapanta.f Wed, 02/08/2006 - 15:00
User Badges:

Thanks... are ther any best practices on the cisco site on how to catergorize your filters? the 100, 101, 102 take precedence correct? Which evers in line.


-fz

pkhatri Wed, 02/08/2006 - 15:07
User Badges:
  • Purple, 4500 points or more

Do you mean the ACL numbers used for extended ACLs ? Well, the ACL numbers simply determine what sort of ACL it is (standard IP, extended IP, standard IPX etc). There is no concept of precedence with these at all... Besides, you can only apply one ACL per direction per interface so you should never have a situation where the router has to choose between two.


If you mean the sequence numbers I indicated earlier for named ACLs, then yes, the lower numbered lines are evaluated before the higher numbered ones. As with any other ACLs, the evaluation stops at the first match. If nothing matches, an implicit deny takes place.


Hope that helps.

Paresh

pkhatri Wed, 02/08/2006 - 19:30
User Badges:
  • Purple, 4500 points or more

HEre is one:


ip access-list extended MyACL

10 permit tcp 10.0.0.0 0.0.0.255 any

20 deny tcp host 10.1.1.1 any

30 permit tcp 10.1.1.0 0.0.0.255 any


Consider the above: the ACL will be evaluated in order from 10 to 30. If the source address is 10.1.1.1, it will match line 20 and will be denied. Note that 10.1.1.1 also matches line 30 but since line 20 comes before line 30, the IP matches line 20 first and line 30 will not be evaluated. As soon as there is a match (either permit or deny), evaluation stops.


Pls do remember to rate posts.


Paresh

zapanta.f Wed, 02/08/2006 - 19:33
User Badges:

Would I be able to give the line an identity?


Ex:(Line 1)

access-list 101 permit tcp (Line 1) 100.100.100.100


access-list 101 permit tcp (Line2) 100.100.100.100


access-list 101 permit tcp 100.100.100.123


access-list 101 permit tcp 100.100.100.122


access-list 101 permit tcp 100.100.100.111

access-list 101 permit tcp 100.100.100.116


access-list 101 deny tcp any any


Actions

This Discussion