Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1506
Views
0
Helpful
5
Replies

Combining multipe ACL's

Mike Hulme
Level 1
Level 1

‎07-29-2012 03:43 AM - edited ‎03-07-2019 08:02 AM

Hi,

I have a lot of VLAN's on the network and require the same set of ACL's for each VLAN with only a minor addition. Therefore, is there a way to create a default ACL and combine it with another ACL then add to the the interface. This will save a lot of thime and propogate ACL changes to all interfaces in the future.

ip access-list extended DefaultACLinbound

      permit ip x.x.x.x m.m.m.m

      permit ip x.x.x.x m.m.m.m

      permit ip x.x.x.x m.m.m.m

      permit ip x.x.x.x m.m.m.m

     permit ip x.x.x.x m.m.m.m

ip access-list extended Building26ACLinbound

      permit ip x.x.x.x m.m.m.m

      permit ip x.x.x.x m.m.m.m

DefaultACLinbound + Building26ACLinbound = B26ACLinbound

Interface vlan 260

     ip access-group B26ACLinbound in

Thanks

Mike

Labels:
0 Helpful
5 Replies 5

nkarthikeyan
Level 7
Level 7

‎07-29-2012 05:17 AM

Hi Mike,

As far as i know you cannot do that in VACL/Routed interface ACL rather you can do that only for Qos using class-map and policy map.

Am not sure if this feature is available in latest versions also.

By

Karthik

0 Helpful

Ton V Engelen
Level 3
Level 3
In response to nkarthikeyan

‎07-30-2012 04:41 AM

Hi

yes, as far as i know Karthik is right.

But what do your subnets look like? Can you combine the subnets so that you can get all statements into one acl instead of 2?

This is what i do overhere (as far as possible with my subnets) and that way i have one and the same acl on many interfaces.

Something like

Extended IP access list traffic-to-server-outside

10 permit tcp 10.1.64.0 0.0.63.255 any eq ftp-data  (all subnets from 10.1.64.0 to 10.1.127.0)

20 permit tcp 10.1.144.0 0.0.7.255 any eq ftp-data  (all subnets from 10.1.144.0 to 10.1.151.0)

etcetera

      

0 Helpful

Mike Hulme
Level 1
Level 1
In response to Ton V Engelen

‎07-31-2012 04:23 AM

Hi,

Thanks for your help. shame there is no easy solution.

Mike

0 Helpful

diegor
Level 1
Level 1
In response to Mike Hulme

‎03-03-2025 04:16 PM - edited ‎03-04-2025 09:06 AM

you can with a router in same ACL list 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-03-2025 04:40 PM - edited ‎03-04-2025 01:59 AM

As also noted by others, unaware of Cisco routers or L3 switches supporting nested/called ACLs for interfaces.

However, it wouldn't be an insurmountable problem to have a script merge ACLs into a combined ACL, perhaps even by an EEM script.  (To make the scripting simpler, you might use specific ACL names and/or embedded ACL remark statements, to help a script identify what should be merged into an applied composite ACL.)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card