• February 09, 2012, 11:38:47 AM
Welcome, Guest. Please login or register.
Did you miss your activation email?
« previous next »
Pages: [1]

Author Topic: Access list  (Read 1789 times)

0 Members and 1 Guest are viewing this topic.

Offline rapzap

  • Rookie
  • **
  • Posts: 12
Access list
« on: April 07, 2010, 02:36:31 PM »
Hello,
I had to add a new Ip range 10.101.223.0/24 in access list on a Cisco 2600, and I dont know if I did it OK
Cisco2600#conf t
Cisco2600(conf t)#access list 1 permit 10.101.223.0 0.0.0.255
when I listed the access list the new IP range was put under the deny any
Cisco2600# show access-list 1
Cisco2600#access-list 1
10.101.200.23 permit
10.101.200.24 permit
10.101.200.25 permit
deny any
10.101.223.0, wildcard... permit

Why was put after deny any ??
Logged

Offline Matt

  • Rookie
  • **
  • Posts: 13
Re: Access list
« Reply #1 on: June 19, 2010, 06:32:32 AM »
Because on most Cisco hardware when you update an access list your new commands are appended to the end of the list. This is different on ASA firewalls where entries are line numbered so you can insert at a specific point in the list, a bit like on Checkpoint.

What you will need to do i am afraid is take a copy of the current list into Notepad or Wordpad, edit the list to insert your new rule in the correct location, remembering that an access list is always executed top to bottom and will match on the first hit, irrespective of what rules follow.

Next you will need to delete the access list from the running configuration and re-apply the new list. It's a while since I have had to do this on a 2600, but I am fairly certain you will need to re-apply the list to whatever interafces it was on.

CAUTION:
1. Make sure you get the order of the access list correct so you do not cut yourself off from the device in question
2. When you delete the old access list the rules are not held in memory so traffic will flow freely until you apply the new list.

and finally - sorry for stating the obvious but take a configuration backup before you start
wri mem AND
copy start tftp etc

All the best
Logged

Offline david_vega

  • Rookie
  • **
  • Posts: 11
Re: Access list
« Reply #2 on: June 24, 2011, 02:17:11 PM »
Before changing an acl or updating current acl, be sure to test on pilot network first or router simulation tools like dynamips or gns3. If no pilot network available, validate the acl thoroughly before applying them to an interface. If you are wanting to modify current acl, @ priv exec prompt, type:

show ip access-list <name or numbered acl>

and copy the output to notepad for backup. You can edit existing acl on the router by inserting a number in between the lined item eg.

conf t
ip access-list standard 1
17 permit host 1.1.1.1
end
wr

The above will insert acl on line 17 which will be between 15 and 20. The line 17 will reset to another number upon a router reboot. If this is hassle(in most cases), make sure that an acl is remove from the interface before uploading new acl script. eg.

conf t
interface gi0/1
no ip access-group 1 <in or out>
exit

no ip access-list standard 1

ip access-list standard 1 >>>> NEW ACL

interface gi0/1
ip access-group 1 <in or out>
end

wr

Hope it makes sense. acl needs careful planning before implementation as it can cause traffic blocking.

David
 


 
 
Logged
Pages: [1]
« previous next »