Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
350
Views
0
Helpful
3
Replies

Multiple ACL's on IOS 11.2(16) Help

phershey
Level 1
Level 1

‎08-25-2002 04:09 PM - edited ‎03-02-2019 12:54 AM

On a 2514 with 11.2 IOS, I'm trying to implement multiple ACL's to block all access to about 55 host addresses. I cannot seem to put them all into one ACL, or the list just disappears, and I'm unclear on how properly to setup multiple lists of about 10 addresses each .

Does each list, say 101-105, need a "permit ip any any" at the end, or just the final list applied to the interface? Will the lists be processed in numerical order or in the order in which they're applied to the interface? I'm assuming that I would implement the lists inbound on the interface that has all the user machines for which I want to block these sites. All my PC's being on E0, I'll want to enter "ip access-group 101 in" for all the lists through 105, correct?

I purchased the Cisco Field Guide for Access Lists, but I cannot find anything about how multiple lists are processed. If there's a good resource online with the info I need, I'll really appreciate help finding it.

My thanks in advance.

Phil Hershey

Labels:
0 Helpful
3 Replies 3

habibd
Level 1
Level 1

‎08-26-2002 11:42 AM

Hi Phil,

There is a good chapter in the ACRC book by Cisco.

ACRC Advanced Cisco Router Configuration Study Guide

Please refer to the following web site

http://btobsearch.barnesandnoble.com/booksearch/isbnInquiry.asp?btob=Y&isbn=0072119101

Which discribes all the various types and steps involved in access list.

Thanks,

Habib U Dashti

0 Helpful

j-lau
Level 1
Level 1

‎08-26-2002 12:16 PM

Hi, Phil,

Your post doesn't state what specific version of 11.2 IOS you're using, but I'm going to assume you're using a major release version that doesn't have bugs, etc.

Next, I'm going to assume that your 2514 (which you already know is "End-Of-Life, right?) has enough memory. Sometimes, when the ACL you're trying to create can't be made "large" enough, the underlying problem is not enough hardware memory. Since you're writing in real-time, there needs to be enough memory to store the access-list you're creating and subsequently running.

Last, your question seems to be asking if and how it's possible to apply multiple "access-group" ACL statements to a single interface. The quick and simple answer is that you can't.

In other words, you can't apply multiple IP "access-group" ACL's to the same interface like this:

config terminal

interface e0

ip access-group 101 in

ip access-group 102 in

ip access-group 103 in

In the above example, only the last time: "ip access-group 103 in" will be programmed into the router. The statements for ACL's 101 and 102 will seemingly disappear.

You can have one access-group list inbound and then another outbound:

ip access-group 101 in

ip access-group 102 out

If you want some on-line tips about access-lists, you might try one of these:

http://www.networkcomputing.com/907/907ws1.html

http://routergod.com/donking/

And of course, from Cisco:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt3/scacls.htm

(Be sure you copy and paste both lines...)

Last random thoughts:

1. If all the hosts are off of e0, I assume they're all on the same subnet. Are you defining specific statements for each PC or are you doing network statements?

e.g.

access-list 102 ip permit 1.1.1.1 255.255.255.255 2.2.2.2. 255.255.255.255

access-list 102 ip permit 3.3.3.3. 255.255.255.255 4.4.4.4 255.255.255.255

(Ick)

Or this?

access-list 102 ip permit 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

or whatever (Much better). Since all 55 PC's are on the same internetwork, you should be able to group them all together...?

2. On the flip side, if there are some PC's on that network that can't be grouped with the PC's you're trying to block, can you list the networks that should be permitted instead? (That is, block the source rather then destination?)

3. If you place an "permit any any" on the end of each list, you are deliberately overriding the implicit "deny any any" at the end of each access-list.

4. Remember that the ordering of source and destination in access-lists is very important - especially if you use some lists as inbound and some as outbound. In other words, where 1.1.1.1 is some network and w.x.y.z is one of your PC's:

access-list 102 ip permit 1.1.1.1 255.255.255.0 host w.x.y.z

interface e0

access-group 102 in

access-list 103 ip permit host w.x.y.z 1.1.1.1 255.255.255.0

interface e0

access-group 103 ip out

... are roughly equivalent in terms of permissions. (I know someone out there reading this is going to yell at me...)

Hope this helps and good luck!

0 Helpful

j-lau
Level 1
Level 1

‎08-26-2002 12:21 PM

I just brilliantly noticed your subject line which states you're running 11.2(16).

Of course, that level of IOS is considerably backlevel, and I would highly recommend you work with your Cisco engineer to validate the correct level of code for your router and business needs.

0 Helpful
Customers Also Viewed These Support Documents