cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
540
Views
0
Helpful
4
Replies

New ACL on the Top

Haider Malik
Level 1
Level 1

 

hello need help . 

 

I am trying to add new ACL however its going end of my permit list how can add on the top of my router ? 

in ASA i can make it on the top by adding line however not sure how to make in router 

 

 

access-list 101 deny   ip host 192.168.5.2 host 192.168.50.9
access-list 101 permit ip any any
access-list 101 deny   ip host 192.168.5.2 host 192.168.50.20

 

 

Thank you 

 

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

A bit rusty on the Router ACL side myself too and have forgotten the differences between different types of ACL.

 

Can you check the output of the following command

show ip access-list 101

 

To my understanding that should show the ACL with the line/sequence numbers. If so then I guess you could first remove the ACL line that you added to the end of the ACL and then try this

 

ip access-list extended 101
 15 deny ip host 192.168.5.2 host 192.168.60.20

 

Where the 15 is the line/sequence number where to add the ACL entry. By default the router should start from 10 and then go up in increments of 10. (10,20,30,40 and so on) With some ACLs I do tend to issue those line/sequence numbers differently so I can leave plenty of space between the rules if I need to add something later without removing and redoing the actual ACL.

 

If for some reason you are not able to add the line to the correct place like described above I guess you can always redo the ACL. But in the case of routers I think depending on the usage of the ACL it should probably be removed from use where ever its used so that removing it doesnt cause problems. To my understanding removing an ACL used in the "line vty 0 4" and "interface" configurations might cause traffic to get blocked so its usually best to remove the ACL from use before redoing it.

 

Hopefully I didn't remember anything wrong :)

 

- Jouni

 

View solution in original post

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

A bit rusty on the Router ACL side myself too and have forgotten the differences between different types of ACL.

 

Can you check the output of the following command

show ip access-list 101

 

To my understanding that should show the ACL with the line/sequence numbers. If so then I guess you could first remove the ACL line that you added to the end of the ACL and then try this

 

ip access-list extended 101
 15 deny ip host 192.168.5.2 host 192.168.60.20

 

Where the 15 is the line/sequence number where to add the ACL entry. By default the router should start from 10 and then go up in increments of 10. (10,20,30,40 and so on) With some ACLs I do tend to issue those line/sequence numbers differently so I can leave plenty of space between the rules if I need to add something later without removing and redoing the actual ACL.

 

If for some reason you are not able to add the line to the correct place like described above I guess you can always redo the ACL. But in the case of routers I think depending on the usage of the ACL it should probably be removed from use where ever its used so that removing it doesnt cause problems. To my understanding removing an ACL used in the "line vty 0 4" and "interface" configurations might cause traffic to get blocked so its usually best to remove the ACL from use before redoing it.

 

Hopefully I didn't remember anything wrong :)

 

- Jouni

 

Thank you for the explanation . I have remove the whole ACL 

 . 

I tried this way but its just showing invalid input .. is something i am doing wrong ?

 

Router#sh ip access-lists 101
Extended IP access list 101
    deny ip host 192.168.5.2 host 192.168.60.20
    permit ip any any
    deny ip host 192.168.5.2 host 192.168.60.23
Router#conf t
Router(config)#ip access-list extended 101
Router(config-ext-nacl)#16 deny ip host 192.168.5.2 host 192.168.60.25
                        ^
% Invalid input detected at '^' marker.

Hi,

 

Guess it doesn't work. I am not sure if its a software level related thing or what.

I wonder if it made a difference if you configure the ACL with a name (alphabetical rather than numerical name)

 

For example

ip access-list extended TEST-ACL

 

And then entered the rules. Naturally if you have already removed the existing ACL you can configure it again and just enter the ACL lines in the order you want them.

 

- Jouni

But in this way i will always have to remove the whole ACL first and then re apply it back in order i am not sure if this is been acceptable  in production environment

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: