Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL

A router is running "c7200-advsecurityk9-mz.124-11.T.bin" We have few hundred ACLs in our router. Every time when adding one acl we need to delete first because there is deny any at the end. Is there any ways to be easier to manage those acl? just simply add one acl without deleting existing acl.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: ACL

And I just noticed another new behavior and you don't need to migrated to 'named' ACLs.

Here is my current ACL:

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 deny ip any any

Now, I want to add an additional entry before deny ip any any....

Rack1R4#show ip access-list

Extended IP access list 101

10 permit ip host 1.1.1.1 host 2.2.2.2

20 permit ip host 1.1.1.1 host 3.3.3.3

25 permit ip host 1.1.1.1 host 4.4.4.4

30 deny ip any any

Rack1R4#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R4(config)#ip access-list extended 101

Rack1R4(config-ext-nacl)#26 permit ip host 1.1.1.1 host 5.5.5.5

Rack1R4(config-ext-nacl)#do show run | sec 101

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 permit ip host 1.1.1.1 host 5.5.5.5

access-list 101 deny ip any any

__

Edison.

5 REPLIES
Hall of Fame Super Bronze

Re: ACL

instead of using 'numbered' ACLs, you should migrate to 'named' ACLs.

Example, here is an 'named' ACL with a deny at the end:

sh run | sec NETPRO

ip access-list extended NETPRO

permit ip host 1.1.1.1 host 2.2.2.2

permit ip host 1.1.1.1 host 3.3.3.3

deny ip any any

If I wanted to insert an entry before the deny any any...

Rack1R4#show ip access-lists NETPRO

Extended IP access list NETPRO

10 permit ip host 1.1.1.1 host 2.2.2.2

20 permit ip host 1.1.1.1 host 3.3.3.3

30 deny ip any any

Rack1R4#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R4(config)#ip access-list extended NETPRO

Rack1R4(config-ext-nacl)#25 permit ip host 1.1.1.1 host 4.4.4.4

Rack1R4(config-ext-nacl)#do show run | sec NETPRO

ip access-list extended NETPRO

permit ip host 1.1.1.1 host 2.2.2.2

permit ip host 1.1.1.1 host 3.3.3.3

permit ip host 1.1.1.1 host 4.4.4.4

deny ip any any

HTH,

__

Edison.

Re: ACL

You should be able to delete the entries in the ACL by using sequence #s without having to delete the whole ACL modify and put it back.

Here you go.

R1#show access-list 100

Extended IP access list 100

10 permit ip 172.16.1.0 0.0.0.255 150.50.0.0 0.0.255.255 (2 matches)

20 permit ip 192.168.1.0 0.0.0.255 150.50.0.0 0.0.255.255

R1#config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#ip access-list ext 100

R1(config-ext-nacl)#no 20

R1(config-ext-nacl)#end

R1#show access-list 100

Extended IP access list 100

10 permit ip 172.16.1.0 0.0.0.255 150.50.0.0 0.0.255.255 (2 matches)

HTH

Sundar

Edit: I just noticed Edison responded to this as well. It wasn't possible a while ago before but you can use numbered ACL to remove or add sequence #s for sometime now.

Hall of Fame Super Bronze

Re: ACL

And I just noticed another new behavior and you don't need to migrated to 'named' ACLs.

Here is my current ACL:

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 deny ip any any

Now, I want to add an additional entry before deny ip any any....

Rack1R4#show ip access-list

Extended IP access list 101

10 permit ip host 1.1.1.1 host 2.2.2.2

20 permit ip host 1.1.1.1 host 3.3.3.3

25 permit ip host 1.1.1.1 host 4.4.4.4

30 deny ip any any

Rack1R4#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R4(config)#ip access-list extended 101

Rack1R4(config-ext-nacl)#26 permit ip host 1.1.1.1 host 5.5.5.5

Rack1R4(config-ext-nacl)#do show run | sec 101

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

access-list 101 permit ip host 1.1.1.1 host 3.3.3.3

access-list 101 permit ip host 1.1.1.1 host 4.4.4.4

access-list 101 permit ip host 1.1.1.1 host 5.5.5.5

access-list 101 deny ip any any

__

Edison.

New Member

Re: ACL

Edison,

it really helps. How can you get those info about ACL?

thanks,

Ken

Hall of Fame Super Bronze

Re: ACL

Ken,

The first iteration I learned during my CCNP studies and on the job.

The last iteration I learned it today while playing with my gear for this very same post :)

Thanks for the rating and good luck !

129
Views
5
Helpful
5
Replies