Cisco 12000, how to block ip address?

[tommy916]

How can I add new ip address and place on top of the access-list? I want to block specific ip address. But "permit ip any any" is needed to be place at the end of access-list.

example:
----------------------------------
interface GigabitEthernet1/0
ip access-group 115 in
ip access-group 115 out

access-list 115 deny ip host 222.222.222.222 any
access-list 115 permit ip any any
----------------------------------
in case if I want to block 111.111.111.111, i typed "access-list 115 deny ip host 111.111.111.111 any" and it puts at the bottom of access-list where permit is in 2nd list. I don't want to lose connection if i have to remove "access-list 115 permit ip any any" and enter it again to place at the end.
it lists as this:
access-list 115 deny ip host 222.222.222.222 any
access-list 115 permit ip any any
access-list 115 deny ip host 111.111.111.111 any

It is not blocking 111.111.111.111

 

[SQL2KDBA69]

you have to remove the access-list with the no access-list 115 command then remake the access-list in the order you need.

 

[KiscoKid]

With newer IOS levels, you can use named access lists and specify the sequence number when you create a new entry.

So for instance

access-list 115 deny ip host 222.222.222.222 any would be sequence number 10

access-list 115 permit ip any any would be sequence number 20

If I then wanted to add something between 10 and 20, I enter named ACL configuration and specify something like:

15 deny host 111.111.111.111 any

You can also resequence named ACL's at any time. This and the feature above makes them very flexible for configuration like this.

 

[SQL2KDBA69]

the best thing to do is keep a copy of you access-list in a text file. so you can make changes to the text file and then delete the access from your router and copy and paste your edited access-list back into the router from the text file. well that what i do so i dont have to retype my entire access-list. if i need to change the order of the entries.

 

[SQL2KDBA69]

yeah Kisco is right Named ACL is easier to reconfigure.

 

[tommy916]

Kisco, I like your idea. I rather do sequence number than copy/paste access-list. How do I make it sequence number?
The version is 12.0(10)S8. Cisco 12008/GRP (R5000) I don't know how to find what IOS level I have.

 

[SQL2KDBA69]

just do " sh ver" at the # prompt and look for something likke this :

System image file is "flash:c1600-bk8nor2sy-mz.122-31.bin"

 

[BuckWeet]

Not to be rude.. but you're working on Cisco 12K boxes and you're asking this question...

 

[KiscoKid]

I don't think ACL sequencing was available in 12.0. I'm 99% sure it only became available in 12.3.

You can see for yourself if it works if your router understands the following command set:

router#conf t
router(config)#ip access-list extended test
router(config-ext-nacl)#45 permit ip any any

This will create a named ACL named test with one entry at sequence no. 45 that permits all IP.

 

[tommy916]

Yes i'm learning to use cisco because my co-worker (admin) who got fired half year ago and no one here knows how to use it.