Solved: Re: Re: router priority updated via ACL

zapanta.f · ‎02-08-2006

Thanks in Advance.

I've been experiencing minor issues being able to add new access list ot a route that is running version 11.3 on a 2600 router.

Here is and example:

access-list 101 permit tcp 100.100.100.100

access-list 101 permit tcp 100.100.100.123

access-list 101 permit tcp 100.100.100.122

access-list 101 permit tcp 100.100.100.111

access-list 101 permit tcp 100.100.100.116

access-list 101 deny tcp any any

Problem: I am un able to add new acl's without having to rewrite the table. If I add the new 101 line it places the new permit entry on the bottom of the list. How can add this line before the deny line?

-fz

pkhatri · ‎02-08-2006

Hi,

That is how numbered ACLs work - every time you add an entry, it gets added to the bottom of the list. One option is to delete the whole ACL and re-enter it as you want (with all the original lines included as well).

The other option is to use named IP ACLs. An example follows:

ip access-list extended MyACL

10 permit tcp host 100.100.100.100 any

20 permit tcp host 100.100.100.123 any

30 deny tcp any any

With named ACLs, you can use the 'no' command to selectively remove entries. In addition, a sequence number can be specified for the entries, allowing you to enter new entries between existing ones.

Hope that helps - pls rate the post if it does.

Paresh

View solution in original post

pkhatri · ‎02-08-2006

Hi,

That is how numbered ACLs work - every time you add an entry, it gets added to the bottom of the list. One option is to delete the whole ACL and re-enter it as you want (with all the original lines included as well).

The other option is to use named IP ACLs. An example follows:

ip access-list extended MyACL

10 permit tcp host 100.100.100.100 any

20 permit tcp host 100.100.100.123 any

30 deny tcp any any

With named ACLs, you can use the 'no' command to selectively remove entries. In addition, a sequence number can be specified for the entries, allowing you to enter new entries between existing ones.

Hope that helps - pls rate the post if it does.

Paresh

zapanta.f · ‎02-08-2006

Thanks... are ther any best practices on the cisco site on how to catergorize your filters? the 100, 101, 102 take precedence correct? Which evers in line.

-fz

pkhatri · ‎02-08-2006

Do you mean the ACL numbers used for extended ACLs ? Well, the ACL numbers simply determine what sort of ACL it is (standard IP, extended IP, standard IPX etc). There is no concept of precedence with these at all... Besides, you can only apply one ACL per direction per interface so you should never have a situation where the router has to choose between two.

If you mean the sequence numbers I indicated earlier for named ACLs, then yes, the lower numbered lines are evaluated before the higher numbered ones. As with any other ACLs, the evaluation stops at the first match. If nothing matches, an implicit deny takes place.

Hope that helps.

Paresh

zapanta.f · ‎02-08-2006

Can you give me an example?

thanks..

pkhatri · ‎02-08-2006

HEre is one:

ip access-list extended MyACL

10 permit tcp 10.0.0.0 0.0.0.255 any

20 deny tcp host 10.1.1.1 any

30 permit tcp 10.1.1.0 0.0.0.255 any

Consider the above: the ACL will be evaluated in order from 10 to 30. If the source address is 10.1.1.1, it will match line 20 and will be denied. Note that 10.1.1.1 also matches line 30 but since line 20 comes before line 30, the IP matches line 20 first and line 30 will not be evaluated. As soon as there is a match (either permit or deny), evaluation stops.

Pls do remember to rate posts.

Paresh

zapanta.f · ‎02-08-2006

Would I be able to give the line an identity?

Ex:(Line 1)

access-list 101 permit tcp (Line 1) 100.100.100.100

access-list 101 permit tcp (Line2) 100.100.100.100

access-list 101 permit tcp 100.100.100.123

access-list 101 permit tcp 100.100.100.122

access-list 101 permit tcp 100.100.100.111

access-list 101 permit tcp 100.100.100.116

access-list 101 deny tcp any any