On a 2514 with 11.2 IOS, I'm trying to implement multiple ACL's to block all access to about 55 host addresses. I cannot seem to put them all into one ACL, or the list just disappears, and I'm unclear on how properly to setup multiple lists of about 10 addresses each .
Does each list, say 101-105, need a "permit ip any any" at the end, or just the final list applied to the interface? Will the lists be processed in numerical order or in the order in which they're applied to the interface? I'm assuming that I would implement the lists inbound on the interface that has all the user machines for which I want to block these sites. All my PC's being on E0, I'll want to enter "ip access-group 101 in" for all the lists through 105, correct?
I purchased the Cisco Field Guide for Access Lists, but I cannot find anything about how multiple lists are processed. If there's a good resource online with the info I need, I'll really appreciate help finding it.
Your post doesn't state what specific version of 11.2 IOS you're using, but I'm going to assume you're using a major release version that doesn't have bugs, etc.
Next, I'm going to assume that your 2514 (which you already know is "End-Of-Life, right?) has enough memory. Sometimes, when the ACL you're trying to create can't be made "large" enough, the underlying problem is not enough hardware memory. Since you're writing in real-time, there needs to be enough memory to store the access-list you're creating and subsequently running.
Last, your question seems to be asking if and how it's possible to apply multiple "access-group" ACL statements to a single interface. The quick and simple answer is that you can't.
In other words, you can't apply multiple IP "access-group" ACL's to the same interface like this:
ip access-group 101 in
ip access-group 102 in
ip access-group 103 in
In the above example, only the last time: "ip access-group 103 in" will be programmed into the router. The statements for ACL's 101 and 102 will seemingly disappear.
You can have one access-group list inbound and then another outbound:
ip access-group 101 in
ip access-group 102 out
If you want some on-line tips about access-lists, you might try one of these:
1. If all the hosts are off of e0, I assume they're all on the same subnet. Are you defining specific statements for each PC or are you doing network statements?
access-list 102 ip permit 126.96.36.199 255.255.255.255 188.8.131.52. 255.255.255.255
access-list 102 ip permit 184.108.40.206. 255.255.255.255 220.127.116.11 255.255.255.255
access-list 102 ip permit 18.104.22.168 255.255.255.0 22.214.171.124 255.255.255.0
or whatever (Much better). Since all 55 PC's are on the same internetwork, you should be able to group them all together...?
2. On the flip side, if there are some PC's on that network that can't be grouped with the PC's you're trying to block, can you list the networks that should be permitted instead? (That is, block the source rather then destination?)
3. If you place an "permit any any" on the end of each list, you are deliberately overriding the implicit "deny any any" at the end of each access-list.
4. Remember that the ordering of source and destination in access-lists is very important - especially if you use some lists as inbound and some as outbound. In other words, where 126.96.36.199 is some network and w.x.y.z is one of your PC's:
access-list 102 ip permit 188.8.131.52 255.255.255.0 host w.x.y.z
access-group 102 in
access-list 103 ip permit host w.x.y.z 184.108.40.206 255.255.255.0
access-group 103 ip out
... are roughly equivalent in terms of permissions. (I know someone out there reading this is going to yell at me...)
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.