Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can you add statements to an ACL without having to recreate it? 5

Status
Not open for further replies.
CaGirl

CaGirl

MIS
Jul 15, 2004
35
US
Sorry everyone; I'm kinda new to this- this is my last question. :-) I have an access list that contains several statements and is already created and working. I now need to add a few more statements to it. I've heard that this can be done without recreating the whole acl- is this true? If so, how? I've also heard that additions to an acl appear at the very bottom of the list- how can I rearrange them? Thank you very much for your help!
 
Sort by date Sort by votes
All new lines will be added to the bottom of the access-list. This is important to know, because when a packet is being inspected, it starts at the top line of the access-list. If it matches a rule, it will be applied. Otherwise it works its way down. If it doesn't match any rules, it will be dropped because of the implicit deny ip any any. If you want to change the order, copy the access-list to a text file, put it in the order you want, remove the acces-list from the router config, and then reapply the new access-list.
 
Upvote 0 Downvote
Please let me make sure I have this right- I can make changes to the acl by copying it to a text editor and editing it there, putting in the appropriate command while in global config mode (example: no access-list 110), and then pasting in the newly edited list and applying it to an interface (same way I would if I were creating it for the first time)? This is something that I'll be doing with my boss soon, and I definitely want to make sure it's done right- the first time!
 
Upvote 0 Downvote
Also, if he decides he doesn't want to remove the old access list but instead wants to just add the new statements to the already existing list, what are the commands to do that? Do you just create the list in config mode and give it the same number as the group you wish to add it to and leave it at that? Or do you have to specifically apply it to the interface? What I'm trying to say is, by giving it the same number as the group you're adding it to, does that automatically apply it to the same interface and direction as that group? (Does that make sense to you?)
 
Upvote 0 Downvote
The answer to your text editing method is yes.

As far as simplying adding to an access-list, just add the lines. For example, if I want to add access to a web server, I would do the following to add on to access-list 120...

conf t
access-list 120 permit tcp any host x.x.x.x eq 80.

This will add the line to the bottom of the already existing access-list 120.
 
Upvote 0 Downvote
Just wanted to add a little caution when changing access lists that many of us have learned the hard way.

Depending upon which interface the ACL is applied to, you may lock yourself out when editing the ACL. Especially when you do a "no access-list.....". This is expecially important when working on a remote router. You could accidentally lock yourself out and kill all traffic to that interface which would mean somebody has to physically go to the router.

Basically, if you kill an ACL while it is still applied to an interface, the implied 'deny all' kicks in and traffic will be blocked. If you are remotely connected, it can really be a problem.

What I do to keep myself safe is put everything into a text file first and QA it like you mentioned. My example would be...

--------------

conf t
interface e0
no ip access-group 100 in
!
no access-list 100
access-list 100 ..... (new acl goes here)
!
end

====================

Then, when you are 100% sure that the ACL will work:

conf t
interface e0
ip access-group 100 in
!
end
==================

I was fortunate that when I learned this the hard way in the past, there was someone at the remote site who could power cycle the router for me. As it was halfway across the country and provided ISP services for several communities, needless to say I scared the H*** out of myself.

Hope this helped.

BierHunter
CNE, MCSE, CCNP
 
Upvote 0 Downvote
Good point bierhunter...I just figured she was local to the router. I have found out the hard way also.. I still have people in our level 1 department that do this on a regular basis. I have told them to do a "reload in 5" everytime they log into a router as a failsafe...but they forget and they get burned.
 
Upvote 0 Downvote
Hence why you should have a modem or some other kind of 'out-of-band' management setup, heh...


BuckWeet
 
Upvote 0 Downvote
Hi,

Nothing technical here just a working practice that has worked well for me.

When editing an access list, and copying it back to the router configuration - rename it with a different access list number. Then you have two access lists on your router - which you can switch between easily on your router.

eg.

access-list 100
--original access list statements

access-list 120
--new access list statements

conf t
interface serial 0/0
no ip access-group 100 in
ip access-group 120 in

Just a thought..,
Phil.

If everything is coming your way then you're in the wrong lane.
 
Upvote 0 Downvote
Wow! That's a really good point- I hadn't thought about that. Are you saying I should remove it from the interface first and THEN remove it from the router to avoid being locked out? (What did you do to fix it once that happened?)
I’m hoping it won’t be a problem in this case; we have two access lists on the router: a standard acl allowing certain computers to access the router (including the one I'm working from) and an extended acl allowing users on another network to access some of our servers. This is the acl we want to change. I'm connected to the router via telnet, and if I only remove the extended list, it shouldn't lock me out (I hope!), right? And here's a question: I know that if I give the edited list the same number as the one we already have and then try to apply to the interface, it will just be added to the bottom of the existing list, and I know that you can only have one access list per interface per direction- so what happens if I edit the existing acl, give it a different number, and put it on the interface with the existing acl? Which of the two would then take effect? The old one, the new one, or neither? Could I do that and then just remove the old one once I know the new one is going to work? Thank you very much for your help- as I said before, I'm pretty new to this- but I'm learning. :-)
 
Upvote 0 Downvote
Whoa- I submitted this before I even saw what you wrote Phil- sorry about that! :-) So that does work??
And Rudeboy, what do you mean by "reload in 5" everytime you log on?
 
Upvote 0 Downvote
If you are logging into a router remotely that doesn't have a back up connection to it, it is good to do the "reload in 5" command. If for some reason, you make a change that locks you out, the router will reboot 5 minutes from the time you did the reload command. Make sure that the config is saved immediately after you login the first time. When done making your changes , just type reload cancel. If you are a slow typer or your changes will take longer than a few minutes to test, try reload in 10,11,12,etc. (# is minutes). You should always remove the access-group from the interface first as this makes the access-list null. After the access-list is in the router the way you want it, that is when you reapply the access-group to the interface. I think CISCO only allows one access group per direction per interface.
 
Upvote 0 Downvote
Hi,

The reload in 5 command will simply reload the router in five minutes - this gives you time to alter the ACL. If you make a hash of it and get locked out, the router reboots back to the startup configuration - and you can get access back to it. If you don't make a mistake then, you can negate the reboot command (no reload in 5) and copy the config. It's a backout trick.

Now onto, multiple ACLs on a router...
You can only have one ACL applied to an interface in a given direction. If you inadverently apply two, only the first will actually be applied.
You can configure loads of ACLs on your router, but don't have to apply them to an interface.
The only reason I said "copy the ACL back to a different list number" is to avoid any confusion when you're applying it, you "no" the old one and apply the new one. Plus you retain a copy of the old ACL on the router for reference.

It's just a practice I use, I hope it helps you too.

Cheers,
Phil.

If everything is coming your way then you're in the wrong lane.
 
Upvote 0 Downvote
Oh- and since you didn't save the changes to the startup config, when it reboots you'll get the old config back again right?

So if I remove the access group from the interface but I don't delete the list itself, I can edit it, rename it, and apply the new one while leaving the old one on the router?

(You can have multiple acl's on an interface?)
 
Upvote 0 Downvote
Yes, after reboot, you will have access again.

You can have many access-lists in your router.

You can have 1 access-list for inbound and 1 for outbound on an interface.(maximum of 2)
 
Upvote 0 Downvote
Man!- I did it again! I posted my response before I got a chance to see your answer- I'm sorry! :-) So you're saying that as long as it's not applied to an interface, I can have as many acl's as I want? I like to err on the side of caution when I can- the idea of completely removing the working acl BEFORE I know the new one is going to work doesn't really thrill me. If I can have the old one as a backup that I can reapply if I need to- that would be great.
 
Upvote 0 Downvote
Oh- now I've done it to you Rudeboy! I'm sorry! That makes sense- and I thought the max was two, but when you said that only Cisco did that I was thinking maybe you could actually get away with more. (Although I'm not sure how that would work- if the packet doesn't match the criteria in your acl it will be discarded- and there would be nothing left to filter through any additional acl's!) Thank you so much for your help- I really really appreciate it.
CaGirl
 
Upvote 0 Downvote
That "reload in 5" is an excellent idea!

I've heard people mentione it before, but I always forget about it. I need to start doing that myself.

BierHunter
CNE, MCSE, CCNP
 
Upvote 0 Downvote
Here's a question for you: we made the changes to both acl's by adding the appropriate statements to it (my boss wasn't comfortable yet with the idea of removing it from the interface to replace it with a new one). We did the sh run command, but couldn't see all of the changes we had made. Only the changes on one of the acl's appeared. However, when we performed a sh access-list 100, all of the changes we made were there. Why couldn't we see those changes in the running config?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
389
badwolf1686
B
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
540
CPM86
CPM86
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
562
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
774
madwok
madwok
jarod_paris
  • Locked
  • Question Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
604
jarod_paris
jarod_paris

Part and Inventory Search

Sponsor

Back
Top