Solved

how can we assion multipal access-group in single interface

Posted on 2004-08-15
8
225 Views
Last Modified: 2010-04-17
hello all
 I have cisco 2600 series router , I have to do make lot of access-list in this router for interface ethernet 0/0  
but in any interface i can put only one access-group in or out
for examples  if i have to put access-group 111 and access-group 112 in same  interface i cant do that


is there any process so that i can put multiple access-group in single interface

Secound  
i just make only one access-group  111 in int ethernet 0/0 and
make that of access-list
i
nterface Ethernet0
 
 ip address 192.168.64.1 255.255.255.0
 ip access-group 111 in
 ip nat inside
 ip route-cache flow
 half-duplex
!
ccess-list 111 permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq 80
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 195.27.162.31 eq 443
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 195.27.162.155 eq 443
access-list 111 permit udp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 195.27.162.155 eq 443
access-list 111 permit udp 192.168.65.16 0.0.0.7 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.16 0.0.0.7 host 203.78.172.34 eq 80
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 195.27.162.31 eq 443
access-list 111 permit ip 192.168.65.32 0.0.0.7 any
access-list 111 permit ip 192.168.64.0 0.0.0.255 any
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.24 0.0.0.7 host 203.78.172.34 eq 80
access-list 111 permit udp 192.168.65.24 0.0.0.7 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 195.27.162.31 eq 443
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 195.27.162.155 eq 443
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.64 0.0.0.31 host 203.78.172.34 eq 80
access-list 111 permit udp 192.168.65.64 0.0.0.31 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 195.27.162.31 eq 443
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 195.27.162.155 eq 443
access-list 111 permit ip host 192.168.65.67 any
access-list 111 permit ip host 192.168.65.68 any
access-list 111 permit ip host 192.168.65.69 any
access-list 111 permit ip host 192.168.65.70 any
access-list 111 permit ip host 192.168.65.71 any


i have that much of access-list ... my problem is that if i have to remove any one network access-list hole access list will remove
if i make seperate access-list like access-list 111 , access-list-222  but all this access-list i cant put in single interface ethernet 0/0
can u pls help me out to sole this problem


sachham
0
Comment
Question by:sachham
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 8

Expert Comment

by:MarkDozier
ID: 11807561
First rule of access-list
ALWAYS HAVE A COPY. Do a cut and paste of the access list into notepad. Save this as the original.
Now save the file as NEW Access-list. make your modification and save this, but leave it open in notepad. Do a copy of the new access list.
On the router delete the access list and then paste the new access list into the router and test it. if it works good if not you cut the new one and paster the original back until you figure out the problem.

The second answer to your questionis a little more difficult and involes the use of Context based access list.
So first you need to get a good grasp of the basics of access-list the you can start doing CBAC.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 125 total points
ID: 11809040
You can only have one access-list inbound and one outbound per interface.  There is no way to change this.  If working with a large access-list use notepad like MarkDozier suggests to ease modification to the list.  You could also use named access lists which allow you to remove one line without removing the entire list.  The downside is that new statements append only to the bottom so you may end up using the notepad method anyway.  To use named access-lists, use the following command:

ip access-list extended <name>  (use whatever name you want, it is case sensitive)
permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet
...

To remove the second line without removing the entire list, you can do the following:

ip access-list extended <name>
no permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet

Only the one command will be removed, all others will remain.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 11809306
You guys know we have sequence numbers on ACL's now, right?

I don't know about y'all, but I've been waiting YEARS for this.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s14/fsaclseq.htm

-Don
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 11

Expert Comment

by:PennGwyn
ID: 11816235
We have sequence numbers ON RECENT VERSIONS of IOS.  All we know about this router is that it's a 2600 -- there's an awful lot of gear out there on 11.2 still....

0
 

Author Comment

by:sachham
ID: 11837807
hello ALL

thanks for your reply , but my problem still same if i do name base access-list like this

ip access-list extended <name> aaa
permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet

ip access-list extended <name>  bbb
permit tcp 192.168.64.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.64.0 0.0.0.7 host 203.78.173.25 eq telnet

in this seniro i can only put access-group aaa in /out   or access-group bbb in/out in interface ethernet 0/0
i cant put both aaa and bbb access-list in single interface
i want to put more then one access-group in single interface ,,,, is there any other command so that i can put more then one access-group put in singe interface

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11840218
Why not just combine the two lists?

ip access-list extended aaa
permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet
permit tcp 192.168.64.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.64.0 0.0.0.7 host 203.78.173.25 eq telnet

You can not add more than one access-list in the same direction on an interface.

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 15651435
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

RECOMMENDATION: Award points to JFrederick29

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

donjohnston
EE Cleanup Volunteer
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question