Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
0
Helpful
3
Replies

ACL Nestingvs Service Policy

SivaKesava
Level 1
Level 1

‎11-05-2018 04:31 PM - edited ‎11-06-2018 12:52 PM

Hi all,

 

Consider two extended ACLs (extended_ACL1, extended_ACL2). If I want to apply both of them (allowed by any one of them) on the input for an interface I have to create a new ACL(merged_Extended) and then apply using 

"ip access-group merged_Extended in"

 

Is there any other better way?

Consider the same scenario where both the ACLs are to be applied. If I create a  class-maps as follows:
class-map match-any map1

   match access-group name extended_ACL1

   match access-group name extended_ACL2

 

Then create a policy-map as:

policy-map merged

   class map1    

     pass

   class class-default

     drop

 

Now If I apply these to the interface as :

interface TenGigabitEthernet1/4

  service-policy input merged

 

Is this a right approach? Can it be done like this?

  

Labels:
0 Helpful
3 Replies 3

paul driver
VIP
VIP

‎11-06-2018 01:46 AM

Hello

My understanding this wont work, The interface will it probably take the policy but the router wont process it.

Whats wrong using just the one extended acl to do the job?

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

SivaKesava
Level 1
Level 1
In response to paul driver

‎11-06-2018 01:05 PM

Consider the router config where we have defined extended_ACL1 and extended_ACL2 and use them on some interfaces. For another interface, I want to apply both of them(allowed by any one of the ACL) so I have to now create another extended ACL by copying lines from extended_ACL1 and extended_ACL2 and putting them together. This increases the config text so I was asking if there are any alternatives(like the one I suggested)?

ip access-list extended_ACL1
permit ip ....
permit ip ....

ip access-list extended_ACL2
permit udp ....
permit udp ....

ip access-list extended_merged
permit ip ....
permit ip ....
permit udp ...
permit udp ...
0 Helpful

paul driver
VIP
VIP
In response to SivaKesava

‎11-07-2018 12:53 AM - edited ‎11-07-2018 12:54 AM

Hello

 

@SivaKesava wrote:
so I was asking if there are any alternatives(like the one I suggested)?

As far as I am aware I dont think there is, but that's not to say there isnt one.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents