04-18-2008 07:42 AM - edited 03-03-2019 09:37 PM
A router is running "c7200-advsecurityk9-mz.124-11.T.bin" We have few hundred ACLs in our router. Every time when adding one acl we need to delete first because there is deny any at the end. Is there any ways to be easier to manage those acl? just simply add one acl without deleting existing acl.
Solved! Go to Solution.
04-18-2008 08:06 AM
And I just noticed another new behavior and you don't need to migrated to 'named' ACLs.
Here is my current ACL:
access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
access-list 101 permit ip host 1.1.1.1 host 3.3.3.3
access-list 101 permit ip host 1.1.1.1 host 4.4.4.4
access-list 101 deny ip any any
Now, I want to add an additional entry before deny ip any any....
Rack1R4#show ip access-list
Extended IP access list 101
10 permit ip host 1.1.1.1 host 2.2.2.2
20 permit ip host 1.1.1.1 host 3.3.3.3
25 permit ip host 1.1.1.1 host 4.4.4.4
30 deny ip any any
Rack1R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R4(config)#ip access-list extended 101
Rack1R4(config-ext-nacl)#26 permit ip host 1.1.1.1 host 5.5.5.5
Rack1R4(config-ext-nacl)#do show run | sec 101
access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
access-list 101 permit ip host 1.1.1.1 host 3.3.3.3
access-list 101 permit ip host 1.1.1.1 host 4.4.4.4
access-list 101 permit ip host 1.1.1.1 host 5.5.5.5
access-list 101 deny ip any any
__
Edison.
04-18-2008 07:59 AM
instead of using 'numbered' ACLs, you should migrate to 'named' ACLs.
Example, here is an 'named' ACL with a deny at the end:
sh run | sec NETPRO
ip access-list extended NETPRO
permit ip host 1.1.1.1 host 2.2.2.2
permit ip host 1.1.1.1 host 3.3.3.3
deny ip any any
If I wanted to insert an entry before the deny any any...
Rack1R4#show ip access-lists NETPRO
Extended IP access list NETPRO
10 permit ip host 1.1.1.1 host 2.2.2.2
20 permit ip host 1.1.1.1 host 3.3.3.3
30 deny ip any any
Rack1R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R4(config)#ip access-list extended NETPRO
Rack1R4(config-ext-nacl)#25 permit ip host 1.1.1.1 host 4.4.4.4
Rack1R4(config-ext-nacl)#do show run | sec NETPRO
ip access-list extended NETPRO
permit ip host 1.1.1.1 host 2.2.2.2
permit ip host 1.1.1.1 host 3.3.3.3
permit ip host 1.1.1.1 host 4.4.4.4
deny ip any any
HTH,
__
Edison.
04-18-2008 08:03 AM
You should be able to delete the entries in the ACL by using sequence #s without having to delete the whole ACL modify and put it back.
Here you go.
R1#show access-list 100
Extended IP access list 100
10 permit ip 172.16.1.0 0.0.0.255 150.50.0.0 0.0.255.255 (2 matches)
20 permit ip 192.168.1.0 0.0.0.255 150.50.0.0 0.0.255.255
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list ext 100
R1(config-ext-nacl)#no 20
R1(config-ext-nacl)#end
R1#show access-list 100
Extended IP access list 100
10 permit ip 172.16.1.0 0.0.0.255 150.50.0.0 0.0.255.255 (2 matches)
HTH
Sundar
Edit: I just noticed Edison responded to this as well. It wasn't possible a while ago before but you can use numbered ACL to remove or add sequence #s for sometime now.
04-18-2008 08:06 AM
And I just noticed another new behavior and you don't need to migrated to 'named' ACLs.
Here is my current ACL:
access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
access-list 101 permit ip host 1.1.1.1 host 3.3.3.3
access-list 101 permit ip host 1.1.1.1 host 4.4.4.4
access-list 101 deny ip any any
Now, I want to add an additional entry before deny ip any any....
Rack1R4#show ip access-list
Extended IP access list 101
10 permit ip host 1.1.1.1 host 2.2.2.2
20 permit ip host 1.1.1.1 host 3.3.3.3
25 permit ip host 1.1.1.1 host 4.4.4.4
30 deny ip any any
Rack1R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R4(config)#ip access-list extended 101
Rack1R4(config-ext-nacl)#26 permit ip host 1.1.1.1 host 5.5.5.5
Rack1R4(config-ext-nacl)#do show run | sec 101
access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
access-list 101 permit ip host 1.1.1.1 host 3.3.3.3
access-list 101 permit ip host 1.1.1.1 host 4.4.4.4
access-list 101 permit ip host 1.1.1.1 host 5.5.5.5
access-list 101 deny ip any any
__
Edison.
04-18-2008 10:14 AM
Edison,
it really helps. How can you get those info about ACL?
thanks,
Ken
04-18-2008 10:46 AM
Ken,
The first iteration I learned during my CCNP studies and on the job.
The last iteration I learned it today while playing with my gear for this very same post :)
Thanks for the rating and good luck !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide