Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ip access-list

Is it possible to add a hostname(text) to ip access list. The host name is defined in a Mircosoft DNS server. I would like to add a dns host name to an access list so if the ip address changes I won't have to go to router configs and make Ip address change to a complicated access-list.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Ip access-list

Yes its possible. For this to work you need to do two things.

1. Configure (let the router know where to send DNS requests).

Configuring this is as follows :

Router (config)#ip name-server

2. Configure access-list as follows.

for example i m creating a std. acl.

Router(config)#access-list 1 permit host test.you.com

test.you.com should be defined in your DNS as an A record.

As soon as you enter the access-list command, router will try to resolve the FQDN - test.you.com into the corresponding ip address. So make sure the DNS server IP is configured on the router using Step 1.

Once this is done, You can verify the translated access-list (FQDN to IP) using "show access-list" command

--------------------------------------------------------------------------------------------------

Just tested this on a router here, it really works cool.

Router(config)#ip name-server 10.1.1.1

Router#show host

Default domain is cisco.com

Name/address lookup uses domain service

Name servers are 10.1.1.1

Router(config)#access-list 1 permit host test.cisco.com log

Translating "test.cisco.com"...domain server (10.1.1.1) [OK]

Router#show access-list

Standard IP access list 1

permit 10.1.1.7 log

HTH

4 REPLIES

Re: Ip access-list

Yes its possible. For this to work you need to do two things.

1. Configure (let the router know where to send DNS requests).

Configuring this is as follows :

Router (config)#ip name-server

2. Configure access-list as follows.

for example i m creating a std. acl.

Router(config)#access-list 1 permit host test.you.com

test.you.com should be defined in your DNS as an A record.

As soon as you enter the access-list command, router will try to resolve the FQDN - test.you.com into the corresponding ip address. So make sure the DNS server IP is configured on the router using Step 1.

Once this is done, You can verify the translated access-list (FQDN to IP) using "show access-list" command

--------------------------------------------------------------------------------------------------

Just tested this on a router here, it really works cool.

Router(config)#ip name-server 10.1.1.1

Router#show host

Default domain is cisco.com

Name/address lookup uses domain service

Name servers are 10.1.1.1

Router(config)#access-list 1 permit host test.cisco.com log

Translating "test.cisco.com"...domain server (10.1.1.1) [OK]

Router#show access-list

Standard IP access list 1

permit 10.1.1.7 log

HTH

Bronze

Re: Ip access-list

Shanky-

That's good to know, but Berb was concerned about the IP address of the host changing in the future. Your example shows the DNS translation occurring as the access list is being constructed. I wonder if your running config shows the DNS host name or the IP address after this tranlation is made, and if it shows the host name, how often will the router look up the host name and re-translate? If it never translates the name again, Berb's requirement that the access list keep up with address changes will not be met.

Mark

Re: Ip access-list

Hi Mark,

I was wondering about that, when I was testing these configs, but didnt get time to follow up on that. Now I checked and the running config does show only the ip address and not the FQDN.

Thats one good observation Mark!

New Member

Re: Ip access-list

Thank you kindly . Works just fine.

249
Views
0
Helpful
4
Replies
CreatePlease login to create content