Re: Route Map using Named ACL

ramizchaudhary · ‎11-14-2006

Dears All,

I have gateway router 7206vxr on which I have two wan links. I want to distribute my traffic using Route-Map with named acl. I followed the document related to named acl

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080431038.html

Now problem is, the document says in step 4 and 5 that we can use optional parameter [sequence-number] so that we can edit named acl or place new entry any where in acl based on this [sequence-number]. But In real when tried to implement it on gateway router, I could not. Sequence number had not been accepted.

FLAG-Gate#

FLAG-Gate#conf t

Enter configuration commands, one per line. End with CNTL/Z.

FLAG-Gate(config)#ip access-list extended MyACL

FLAG-Gate(config-ext-nacl)#?

Ext Access List configuration commands:

default Set a command to its defaults

deny Specify packets to reject

dynamic Specify a DYNAMIC list of PERMITs or DENYs

evaluate Evaluate an access list

exit Exit from access-list configuration mode

no Negate a command or set its defaults

permit Specify packets to forward

remark Access list entry comment

FLAG-Gate(config-ext-nacl)#1000 permit ip host 192.168.161.168 any

% Invalid input detected at '^' marker.

FLAG-Gate(config-ext-nacl)#

So what would be the reason? Why I could not enter sequence # 1000? Without it command was acceptable.

Waiting for Response

Regards,

pkhatri · ‎11-14-2006

This feature was introduced in 12.3(7)T. You are possibly using an older software release which does not support this option.

Paresh.

PS. Pls do remember to rate posts.

Richard Burts · ‎11-14-2006

Ramiz

The link that you sent describes a feature in release 12.3(7)T (though sequence numbers are not the primary focus of the feature). You have not identified for us what version of code you are running but I suspect that the version of code that you are running does not have support for the sequence number feature.

If your code does not support the sequence number feature the access list and the route map should still work properly if you enter the access list without sequence numbers. If you believe that you really need the sequence numbers you may need to upgrade the code on your router.

HTH

Rick

HTH

Rick

ramizchaudhary · ‎11-14-2006

Ok thanks for responding. Tell me if i don't want to upgrade ios and still want to insert an entry in between some other entries. Is it posible?

For Example

First i have acl entries

ip access-list extended Test

permit ip host 192.168.12.5 any

permit ip host 192.168.13.2 any

permit ip 192.168.200.0 0.0.0.255 any

permit ip 172.16.10.0 0.0.0.255 any

now i want to add an acl entry "deny ip host 192.168.200.5 any" in between "permit ip host 192.168.13.2 any" and "permit ip 192.168.200.0 0.0.0.255 any" so that route-map would apply on network 192.168.200.0 except host 192.168.200.5.

How is it possible without sequence number? and regarding router's IOS

Gateway#

Gateway#show version

Cisco Internetwork Operating System Software

IOS (tm) 7200 Software (C7200-JS-M), Version 12.2(34), RELEASE SOFTWARE (fc1)

Compiled Thu 02-Mar-06 04:32 by pwade

Image text-base: 0x60008940, data-base: 0x6168E000

ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE (fc2)

BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(13)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Regards

smothuku · ‎11-14-2006

Hi ,

Sequence number for named access-list should be supported by ios which you are using in 7206 router.means IOS should have that feature in it.

Please take a look at the following link at cisco.com...

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html#89730

It shows that sequence numbers for ACLs were first introduced in 12.2(14)S, 12.2(15)T and

12.3(2)T.

Check whether the ios in router is supporting sequence number for named access-list feature.

Hope it clarifies you.Plz rate it.

Thanks,

satish

ramizchaudhary · ‎11-15-2006

Ok thanks for responding. Tell me if i don't want to upgrade ios and still want to insert an entry in between some other entries. Is it posible?

For Example

First i have acl entries

ip access-list extended Test

permit ip host 192.168.12.5 any

permit ip host 192.168.13.2 any

permit ip 192.168.200.0 0.0.0.255 any

permit ip 172.16.10.0 0.0.0.255 any

now i want to add an acl entry "deny ip host 192.168.200.5 any" in between "permit ip host 192.168.13.2 any" and "permit ip 192.168.200.0 0.0.0.255 any" so that route-map would apply on network 192.168.200.0 except host 192.168.200.5.

How is it possible without sequence number? and regarding router's IOS

Gateway#

Gateway#show version

Cisco Internetwork Operating System Software

IOS (tm) 7200 Software (C7200-JS-M), Version 12.2(34), RELEASE SOFTWARE (fc1)

Compiled Thu 02-Mar-06 04:32 by pwade

Image text-base: 0x60008940, data-base: 0x6168E000

ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE (fc2)

BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(13)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Regards

kevindickerson · ‎11-16-2006

If the IOS you have does not support sequence numbers (which by the looks it doesn't) then you will need to re-create the access-list.

The best way to do this is to create a second access-list and call it "Test2" (for this example) and then enter in the new permit statements.

Then apply the "Test2" access-list to the route-map, keep both the access-lists on the router as it will allow you to fallback to the previous one just in case something goes wrong.

The next time you need to add in another line to the middle of the ACL, clear the old "Test" list enter in the new details and apply that to the route-map.

HTH

ramizchaudhary · ‎11-17-2006

Dear,

Ok thanks for response. Please tell me from where i can download newer version 12.3(7)T? I heard that if a person have cisco certification, he can download ios from cisco.com. I have passed Composit, BCRAN and CIT.

Need your assistance Please.

Regards

Ramiz