Re: Router ACL order

jason.aarons · ‎09-28-2004

Is there a way in 12.2T code to insert something in the middle of the ACL? I keep doing a "no ip access-list extended DMZ_Screen_In", modify the ACL and then re-apply it. The actual ACL is about 100 lines and I've re-added it sometimes to find I missed something.

I'd like to be able to insert a line in the middle.

ip access-list extended DMZ_Screen_In

permit tcp any any established

permit tcp any eq ftp any gt 1023 log

permit tcp any eq ftp-data any gt 1023 log

permit udp any any eq ntp

permit tcp any any eq 19226

deny ip any any

smif101 · ‎09-28-2004

I think your best bet is to keep a text file of your whole access list. Then when you need to change something you add the change to the text file. From there at the top of the list, have a command that deletes the original access list and then the exact commands to redo the access-list. Cut and paste into the router and that way it is just a matter of seconds to redo it and you have it in the order you want.

jason.aarons · ‎09-28-2004

Ok, I figured it out, answer is to add a number at beginning of line that corresponds to show access-list sequence number;

(answer was insert the number at beginning of the line);

23RD_RTR#show access-list

Extended IP access list testjaarons

10 permit tcp host 10.144.144.144 host 10.155.155.155 eq www

20 permit tcp host 24.25.25.25 host 24.26.26.26 eq www

30 permit tcp host 110.10.10.10 host 111.10.10.10 eq ftp

40 permit tcp host 112.112.112.112 host 113.113.113.113 eq ftp

50 deny ip any any

23RD_RTR#config t

Enter configuration commands, one per line. End with CNTL/Z.

23RD_RTR(config)#ip access-list extended testjaarons

23RD_RTR(config-ext-nacl)#5 permit ip any any

23RD_RTR(config-ext-nacl)#exit

23RD_RTR(config)#exit