Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How do I add a line into an access control list?

We have a user VLAN that allows connectivity to printer VLAN.  Printers connect and need snmp to communicate.

New printers were brought in, and they need port 443 opened.  I was under the impression I could insert a line into an ACL(below).

I have copied the production ACL to this test ACL (102) and it works fine when I changed the VLAN interface to use this ACL.  I copied and pasted, however, and the new ACL was easy to create and apply.  Since I have 30 more production switches to do this to, I was hoping I would not have to delete this ACL and recreate it.  I thought there was a way to "inject" a line into an ACL

Any thoughts?


access-list 102 permit udp any any eq bootps
access-list 102 permit udp any any eq bootpc
access-list 102 permit icmp 10.0.32.0 0.255.3.255 10.0.32.1 0.255.0.0 echo
access-list 102 permit icmp 10.0.32.0 0.255.3.255 10.0.32.1 0.255.0.0 echo-reply
access-list 102 permit icmp 10.0.32.1 0.255.0.0 10.0.32.0 0.255.3.255 echo
access-list 102 permit icmp 10.0.32.1 0.255.0.0 10.0.32.0 0.255.3.255 echo-reply
access-list 102 permit icmp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 echo
access-list 102 permit icmp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 echo-reply

access-list 102 permit tcp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq 443

access-list 102 permit udp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq snmp
access-list 102 permit tcp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq 161
access-list 102 deny   ip 10.0.32.0 0.255.3.255 10.0.32.0 0.255.3.255 log
access-list 102 deny   ip 10.0.32.0 0.255.3.255 10.0.64.0 0.255.0.255 log
access-list 102 deny   ip 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 log
access-list 102 permit ip host 10.105.34.9 10.0.112.0 0.255.0.255 log
access-list 102 deny   ip 10.0.32.0 0.255.3.255 10.0.112.0 0.255.0.255 log
access-list 102 deny   ip 10.0.32.0 0.255.3.255 10.0.114.0 0.255.0.255 log
access-list 102 deny   ip 10.0.32.0 0.255.3.255 10.0.161.0 0.255.0.255 log
access-list 102 deny   ip 10.0.32.0 0.255.3.255 10.0.165.0 0.255.0.255 log
access-list 102 deny   ip 10.0.32.0 0.255.3.255 10.0.235.0 0.255.0.255 log
access-list 102 permit ip 10.0.32.0 0.255.3.255 10.0.240.24 0.255.0.0
access-list 102 permit ip 10.0.32.0 0.255.3.255 10.2.240.0 0.0.1.255 log
access-list 102 deny   ip 10.0.32.0 0.255.3.255 10.0.240.0 0.255.0.255 log
access-list 102 deny   ip 10.0.32.0 0.255.3.255 10.0.241.0 0.255.0.255 log
access-list 102 permit ip any any

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

How do I add a line into an access control list?

Use show ip-access lists to see the numbering:

R1#sh ip access-lists

Extended IP access list 102

    10 permit udp any any eq bootps

    20 permit udp any any eq bootpc

    30 permit icmp 10.0.32.0 0.255.3.255 10.0.32.1 0.255.0.0 echo

    40 permit icmp 10.0.32.0 0.255.3.255 10.0.32.1 0.255.0.0 echo-reply

    50 permit icmp 10.0.32.1 0.255.0.0 10.0.32.0 0.255.3.255 echo

    60 permit icmp 10.0.32.1 0.255.0.0 10.0.32.0 0.255.3.255 echo-reply

    70 permit icmp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 echo

    80 permit icmp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 echo-reply

    90 permit tcp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq 443

    100 permit udp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq snmp

    110 permit tcp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq 161

    120 deny ip 10.0.32.0 0.255.3.255 10.0.32.0 0.255.3.255 log

    130 deny ip 10.0.32.0 0.255.3.255 10.0.64.0 0.255.0.255 log

    140 deny ip 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 log

    150 permit ip host 10.105.34.9 10.0.112.0 0.255.0.255 log

    160 deny ip 10.0.32.0 0.255.3.255 10.0.112.0 0.255.0.255 log

    170 deny ip 10.0.32.0 0.255.3.255 10.0.114.0 0.255.0.255 log

    180 deny ip 10.0.32.0 0.255.3.255 10.0.161.0 0.255.0.255 log

    190 deny ip 10.0.32.0 0.255.3.255 10.0.165.0 0.255.0.255 log

    200 deny ip 10.0.32.0 0.255.3.255 10.0.235.0 0.255.0.255 log

    210 permit ip 10.0.32.0 0.255.3.255 10.0.240.24 0.255.0.0

    220 permit ip 10.0.32.0 0.255.3.255 10.2.240.0 0.0.1.255 log

    230 deny ip 10.0.32.0 0.255.3.255 10.0.240.0 0.255.0.255 log

    240 deny ip 10.0.32.0 0.255.3.255 10.0.241.0 0.255.0.255 log

    250 permit ip any any

Then if you want to add something at line 245:

R1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#ip access-list extended 102

R1(config-ext-nacl)#245 deny ip host 1.1.1.1 host 2.2.2.2

Now it should be done:

R1(config-ext-nacl)#do show ip access-lists

Extended IP access list 102

    10 permit udp any any eq bootps

    20 permit udp any any eq bootpc

    30 permit icmp 10.0.32.0 0.255.3.255 10.0.32.1 0.255.0.0 echo

    40 permit icmp 10.0.32.0 0.255.3.255 10.0.32.1 0.255.0.0 echo-reply

    50 permit icmp 10.0.32.1 0.255.0.0 10.0.32.0 0.255.3.255 echo

    60 permit icmp 10.0.32.1 0.255.0.0 10.0.32.0 0.255.3.255 echo-reply

    70 permit icmp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 echo

    80 permit icmp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 echo-reply

    90 permit tcp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq 443

    100 permit udp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq snmp

    110 permit tcp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq 161

    120 deny ip 10.0.32.0 0.255.3.255 10.0.32.0 0.255.3.255 log

    130 deny ip 10.0.32.0 0.255.3.255 10.0.64.0 0.255.0.255 log

    140 deny ip 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 log

    150 permit ip host 10.105.34.9 10.0.112.0 0.255.0.255 log

    160 deny ip 10.0.32.0 0.255.3.255 10.0.112.0 0.255.0.255 log

    170 deny ip 10.0.32.0 0.255.3.255 10.0.114.0 0.255.0.255 log

    180 deny ip 10.0.32.0 0.255.3.255 10.0.161.0 0.255.0.255 log

    190 deny ip 10.0.32.0 0.255.3.255 10.0.165.0 0.255.0.255 log

    200 deny ip 10.0.32.0 0.255.3.255 10.0.235.0 0.255.0.255 log

    210 permit ip 10.0.32.0 0.255.3.255 10.0.240.24 0.255.0.0

    220 permit ip 10.0.32.0 0.255.3.255 10.2.240.0 0.0.1.255 log

    230 deny ip 10.0.32.0 0.255.3.255 10.0.240.0 0.255.0.255 log

    240 deny ip 10.0.32.0 0.255.3.255 10.0.241.0 0.255.0.255 log

    245 deny ip host 1.1.1.1 host 2.2.2.2

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
2 REPLIES
Silver

How do I add a line into an access control list?

Use show ip-access lists to see the numbering:

R1#sh ip access-lists

Extended IP access list 102

    10 permit udp any any eq bootps

    20 permit udp any any eq bootpc

    30 permit icmp 10.0.32.0 0.255.3.255 10.0.32.1 0.255.0.0 echo

    40 permit icmp 10.0.32.0 0.255.3.255 10.0.32.1 0.255.0.0 echo-reply

    50 permit icmp 10.0.32.1 0.255.0.0 10.0.32.0 0.255.3.255 echo

    60 permit icmp 10.0.32.1 0.255.0.0 10.0.32.0 0.255.3.255 echo-reply

    70 permit icmp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 echo

    80 permit icmp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 echo-reply

    90 permit tcp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq 443

    100 permit udp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq snmp

    110 permit tcp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq 161

    120 deny ip 10.0.32.0 0.255.3.255 10.0.32.0 0.255.3.255 log

    130 deny ip 10.0.32.0 0.255.3.255 10.0.64.0 0.255.0.255 log

    140 deny ip 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 log

    150 permit ip host 10.105.34.9 10.0.112.0 0.255.0.255 log

    160 deny ip 10.0.32.0 0.255.3.255 10.0.112.0 0.255.0.255 log

    170 deny ip 10.0.32.0 0.255.3.255 10.0.114.0 0.255.0.255 log

    180 deny ip 10.0.32.0 0.255.3.255 10.0.161.0 0.255.0.255 log

    190 deny ip 10.0.32.0 0.255.3.255 10.0.165.0 0.255.0.255 log

    200 deny ip 10.0.32.0 0.255.3.255 10.0.235.0 0.255.0.255 log

    210 permit ip 10.0.32.0 0.255.3.255 10.0.240.24 0.255.0.0

    220 permit ip 10.0.32.0 0.255.3.255 10.2.240.0 0.0.1.255 log

    230 deny ip 10.0.32.0 0.255.3.255 10.0.240.0 0.255.0.255 log

    240 deny ip 10.0.32.0 0.255.3.255 10.0.241.0 0.255.0.255 log

    250 permit ip any any

Then if you want to add something at line 245:

R1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#ip access-list extended 102

R1(config-ext-nacl)#245 deny ip host 1.1.1.1 host 2.2.2.2

Now it should be done:

R1(config-ext-nacl)#do show ip access-lists

Extended IP access list 102

    10 permit udp any any eq bootps

    20 permit udp any any eq bootpc

    30 permit icmp 10.0.32.0 0.255.3.255 10.0.32.1 0.255.0.0 echo

    40 permit icmp 10.0.32.0 0.255.3.255 10.0.32.1 0.255.0.0 echo-reply

    50 permit icmp 10.0.32.1 0.255.0.0 10.0.32.0 0.255.3.255 echo

    60 permit icmp 10.0.32.1 0.255.0.0 10.0.32.0 0.255.3.255 echo-reply

    70 permit icmp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 echo

    80 permit icmp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 echo-reply

    90 permit tcp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq 443

    100 permit udp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq snmp

    110 permit tcp 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 eq 161

    120 deny ip 10.0.32.0 0.255.3.255 10.0.32.0 0.255.3.255 log

    130 deny ip 10.0.32.0 0.255.3.255 10.0.64.0 0.255.0.255 log

    140 deny ip 10.0.32.0 0.255.3.255 10.0.96.0 0.255.0.255 log

    150 permit ip host 10.105.34.9 10.0.112.0 0.255.0.255 log

    160 deny ip 10.0.32.0 0.255.3.255 10.0.112.0 0.255.0.255 log

    170 deny ip 10.0.32.0 0.255.3.255 10.0.114.0 0.255.0.255 log

    180 deny ip 10.0.32.0 0.255.3.255 10.0.161.0 0.255.0.255 log

    190 deny ip 10.0.32.0 0.255.3.255 10.0.165.0 0.255.0.255 log

    200 deny ip 10.0.32.0 0.255.3.255 10.0.235.0 0.255.0.255 log

    210 permit ip 10.0.32.0 0.255.3.255 10.0.240.24 0.255.0.0

    220 permit ip 10.0.32.0 0.255.3.255 10.2.240.0 0.0.1.255 log

    230 deny ip 10.0.32.0 0.255.3.255 10.0.240.0 0.255.0.255 log

    240 deny ip 10.0.32.0 0.255.3.255 10.0.241.0 0.255.0.255 log

    245 deny ip host 1.1.1.1 host 2.2.2.2

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
New Member

How do I add a line into an access control list?

Thank you.  It worked perfectly!

203
Views
0
Helpful
2
Replies