Solved: Adding Access List

pablo.arcelcr · ‎07-17-2017

I'm trying to an entry to a access list as follows:

access-list 22 permit 10.154.5.21

After I run a sh run | i access-list 22

it doesn't show the access list entry i just addded

access-list 22 remark ****** VTY Access ACL ******
access-list 22 permit 10.107.34.72
access-list 22 permit 10.64.32.12
access-list 22 permit 10.64.169.125
access-list 22 permit 10.195.32.35
access-list 22 permit 10.195.32.25
access-list 22 permit 10.195.32.24
access-list 22 permit 10.124.127.0 0.0.0.31
access-list 22 permit 10.195.127.0 0.0.0.31
access-list 22 permit 10.199.127.0 0.0.0.31
access-list 22 permit 10.68.127.0 0.0.0.31
access-list 22 deny any log

What could nbe the issue?

Predrag Jovic · ‎07-18-2017

Issue is that statement is added at the end of the list (statement is denied since deny any is listed above your new statement

% Access rule can't be configured at higher sequence num as it is part of the existing rule at sequence num X

You can see statement numbers when show access-list is issued.

Generally you have two choices. You can place statement between already existing statements

ip access-list standard 22
<sequence number> permit 10.154.5.21

Or delete and recreate access-list:

no access-list 22
!
access-list 22 remark ****** VTY Access ACL ******
access-list 22 permit 10.107.34.72
access-list 22 permit 10.154.5.21
access-list 22 permit 10.64.32.12
access-list 22 permit 10.64.169.125
access-list 22 permit 10.195.32.35
access-list 22 permit 10.195.32.25
access-list 22 permit 10.195.32.24
access-list 22 permit 10.124.127.0 0.0.0.31
access-list 22 permit 10.195.127.0 0.0.0.31
access-list 22 permit 10.199.127.0 0.0.0.31
access-list 22 permit 10.68.127.0 0.0.0.31
access-list 22 deny any log

View solution in original post

Julio E. Moisa · ‎07-17-2017

Hi Pablo,

You should use:

access-list 22 permit host 10.154.5.21

or

access-list 22 permit 10.154.5.21 0.0.0.0

Now a new entry will be sent to the bottom so you need to move it up using sequence as crni00000 mentioned previously.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Predrag Jovic · ‎07-18-2017

End result of issuing
access-list 22 permit host 10.154.5.21
or
access-list 22 permit 10.154.5.21
is the same.

Predrag Jovic · ‎07-18-2017

Issue is that statement is added at the end of the list (statement is denied since deny any is listed above your new statement

% Access rule can't be configured at higher sequence num as it is part of the existing rule at sequence num X

You can see statement numbers when show access-list is issued.

Generally you have two choices. You can place statement between already existing statements

ip access-list standard 22
<sequence number> permit 10.154.5.21

Or delete and recreate access-list:

no access-list 22
!
access-list 22 remark ****** VTY Access ACL ******
access-list 22 permit 10.107.34.72
access-list 22 permit 10.154.5.21
access-list 22 permit 10.64.32.12
access-list 22 permit 10.64.169.125
access-list 22 permit 10.195.32.35
access-list 22 permit 10.195.32.25
access-list 22 permit 10.195.32.24
access-list 22 permit 10.124.127.0 0.0.0.31
access-list 22 permit 10.195.127.0 0.0.0.31
access-list 22 permit 10.199.127.0 0.0.0.31
access-list 22 permit 10.68.127.0 0.0.0.31
access-list 22 deny any log