Solved: Adding ACL to Edge Router

mahesh18 · ‎02-25-2014

Hi Everyone,

I need to add acl to edge router.

This router already has extended acl 115 which have hunderds of line.

i need to insert below acl to allow traffic from anywhere on port 80 to IP 200.x.x.x which is routers outside inetrface.

sequence number in used are from 4440 to 4800.

I need to insert new acl between above sequence numbers.

i know the syntax of ACL.

Need to confirm how can i do that without causing any outage in production network and if i need to backout how can i do it?

Regards

Mahesh

John Blakley · ‎02-25-2014

Mahesh,

You can add an entry to an acl without an outage, provided that the acl entry that you add doesn't affect traffic below it. For example, if you need to provide web traffic to 192.168.1.5 and that's line 10, and you put in line 9 to deny tcp any 192.168.1.0 0.0.0.255, then your 192.168.1.5 won't see that traffic because you're blocking it above. Make sense?

As far as the backout plan, you can usually do "no " and hit enter to remove the line. If you add:

4500 permit tcp any any eq 3900

You can remove with:

no 4500

The line will disappear. You'll need to make sure that you're in the extended acl when doing this though with "ip access-list ext 115".

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

cadet alain · ‎02-26-2014

Hi,

To add to John answer, you could use the reload in feature so that if your change is breaking stuffs it will reload and the change won't be in the startup as you didn't copy from run, if it doesn't impact you can then do a reload cancel to abort the reload

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

John Blakley · ‎02-25-2014

Mahesh,

You can add an entry to an acl without an outage, provided that the acl entry that you add doesn't affect traffic below it. For example, if you need to provide web traffic to 192.168.1.5 and that's line 10, and you put in line 9 to deny tcp any 192.168.1.0 0.0.0.255, then your 192.168.1.5 won't see that traffic because you're blocking it above. Make sense?

As far as the backout plan, you can usually do "no " and hit enter to remove the line. If you add:

4500 permit tcp any any eq 3900

You can remove with:

no 4500

The line will disappear. You'll need to make sure that you're in the extended acl when doing this though with "ip access-list ext 115".

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

cadet alain · ‎02-26-2014

Hi,

To add to John answer, you could use the reload in feature so that if your change is breaking stuffs it will reload and the change won't be in the startup as you didn't copy from run, if it doesn't impact you can then do a reload cancel to abort the reload

Regards

Alain

Don't forget to rate helpful posts.

mahesh18 · ‎02-26-2014

MAny thanks John & Alain

Regards

MAhesh