07-11-2014 11:52 AM - edited 02-20-2020 09:43 PM
hello need help .
I am trying to add new ACL however its going end of my permit list how can add on the top of my router ?
in ASA i can make it on the top by adding line however not sure how to make in router
access-list 101 deny ip host 192.168.5.2 host 192.168.50.9
access-list 101 permit ip any any
access-list 101 deny ip host 192.168.5.2 host 192.168.50.20
Thank you
Solved! Go to Solution.
07-11-2014 12:17 PM
Hi,
A bit rusty on the Router ACL side myself too and have forgotten the differences between different types of ACL.
Can you check the output of the following command
show ip access-list 101
To my understanding that should show the ACL with the line/sequence numbers. If so then I guess you could first remove the ACL line that you added to the end of the ACL and then try this
ip access-list extended 101
15 deny ip host 192.168.5.2 host 192.168.60.20
Where the 15 is the line/sequence number where to add the ACL entry. By default the router should start from 10 and then go up in increments of 10. (10,20,30,40 and so on) With some ACLs I do tend to issue those line/sequence numbers differently so I can leave plenty of space between the rules if I need to add something later without removing and redoing the actual ACL.
If for some reason you are not able to add the line to the correct place like described above I guess you can always redo the ACL. But in the case of routers I think depending on the usage of the ACL it should probably be removed from use where ever its used so that removing it doesnt cause problems. To my understanding removing an ACL used in the "line vty 0 4" and "interface" configurations might cause traffic to get blocked so its usually best to remove the ACL from use before redoing it.
Hopefully I didn't remember anything wrong :)
- Jouni
07-11-2014 12:17 PM
Hi,
A bit rusty on the Router ACL side myself too and have forgotten the differences between different types of ACL.
Can you check the output of the following command
show ip access-list 101
To my understanding that should show the ACL with the line/sequence numbers. If so then I guess you could first remove the ACL line that you added to the end of the ACL and then try this
ip access-list extended 101
15 deny ip host 192.168.5.2 host 192.168.60.20
Where the 15 is the line/sequence number where to add the ACL entry. By default the router should start from 10 and then go up in increments of 10. (10,20,30,40 and so on) With some ACLs I do tend to issue those line/sequence numbers differently so I can leave plenty of space between the rules if I need to add something later without removing and redoing the actual ACL.
If for some reason you are not able to add the line to the correct place like described above I guess you can always redo the ACL. But in the case of routers I think depending on the usage of the ACL it should probably be removed from use where ever its used so that removing it doesnt cause problems. To my understanding removing an ACL used in the "line vty 0 4" and "interface" configurations might cause traffic to get blocked so its usually best to remove the ACL from use before redoing it.
Hopefully I didn't remember anything wrong :)
- Jouni
07-11-2014 12:45 PM
Thank you for the explanation . I have remove the whole ACL
.
I tried this way but its just showing invalid input .. is something i am doing wrong ?
Router#sh ip access-lists 101
Extended IP access list 101
deny ip host 192.168.5.2 host 192.168.60.20
permit ip any any
deny ip host 192.168.5.2 host 192.168.60.23
Router#conf t
Router(config)#ip access-list extended 101
Router(config-ext-nacl)#16 deny ip host 192.168.5.2 host 192.168.60.25
^
% Invalid input detected at '^' marker.
07-11-2014 12:49 PM
Hi,
Guess it doesn't work. I am not sure if its a software level related thing or what.
I wonder if it made a difference if you configure the ACL with a name (alphabetical rather than numerical name)
For example
ip access-list extended TEST-ACL
And then entered the rules. Naturally if you have already removed the existing ACL you can configure it again and just enter the ACL lines in the order you want them.
- Jouni
07-11-2014 07:32 PM
But in this way i will always have to remove the whole ACL first and then re apply it back in order i am not sure if this is been acceptable in production environment
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide