[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

how can we assion multipal access-group in single interface

hello all
 I have cisco 2600 series router , I have to do make lot of access-list in this router for interface ethernet 0/0  
but in any interface i can put only one access-group in or out
for examples  if i have to put access-group 111 and access-group 112 in same  interface i cant do that


is there any process so that i can put multiple access-group in single interface

Secound  
i just make only one access-group  111 in int ethernet 0/0 and
make that of access-list
i
nterface Ethernet0
 
 ip address 192.168.64.1 255.255.255.0
 ip access-group 111 in
 ip nat inside
 ip route-cache flow
 half-duplex
!
ccess-list 111 permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq 80
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 195.27.162.31 eq 443
access-list 111 permit tcp 192.168.65.0 0.0.0.7 host 195.27.162.155 eq 443
access-list 111 permit udp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 195.27.162.155 eq 443
access-list 111 permit udp 192.168.65.16 0.0.0.7 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.16 0.0.0.7 host 203.78.172.34 eq 80
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.16 0.0.0.7 host 195.27.162.31 eq 443
access-list 111 permit ip 192.168.65.32 0.0.0.7 any
access-list 111 permit ip 192.168.64.0 0.0.0.255 any
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.24 0.0.0.7 host 203.78.172.34 eq 80
access-list 111 permit udp 192.168.65.24 0.0.0.7 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 195.27.162.31 eq 443
access-list 111 permit tcp 192.168.65.24 0.0.0.7 host 195.27.162.155 eq 443
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 203.78.172.34 eq www
access-list 111 permit udp 192.168.65.64 0.0.0.31 host 203.78.172.34 eq 80
access-list 111 permit udp 192.168.65.64 0.0.0.31 host 203.78.172.34 eq domain
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 203.78.173.25 eq telnet
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 195.27.162.31 eq www
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 195.27.162.31 eq 443
access-list 111 permit tcp 192.168.65.64 0.0.0.31 host 195.27.162.155 eq 443
access-list 111 permit ip host 192.168.65.67 any
access-list 111 permit ip host 192.168.65.68 any
access-list 111 permit ip host 192.168.65.69 any
access-list 111 permit ip host 192.168.65.70 any
access-list 111 permit ip host 192.168.65.71 any


i have that much of access-list ... my problem is that if i have to remove any one network access-list hole access list will remove
if i make seperate access-list like access-list 111 , access-list-222  but all this access-list i cant put in single interface ethernet 0/0
can u pls help me out to sole this problem


sachham
0
sachham
Asked:
sachham
1 Solution
 
MarkDozierCommented:
First rule of access-list
ALWAYS HAVE A COPY. Do a cut and paste of the access list into notepad. Save this as the original.
Now save the file as NEW Access-list. make your modification and save this, but leave it open in notepad. Do a copy of the new access list.
On the router delete the access list and then paste the new access list into the router and test it. if it works good if not you cut the new one and paster the original back until you figure out the problem.

The second answer to your questionis a little more difficult and involes the use of Context based access list.
So first you need to get a good grasp of the basics of access-list the you can start doing CBAC.
0
 
JFrederick29Commented:
You can only have one access-list inbound and one outbound per interface.  There is no way to change this.  If working with a large access-list use notepad like MarkDozier suggests to ease modification to the list.  You could also use named access lists which allow you to remove one line without removing the entire list.  The downside is that new statements append only to the bottom so you may end up using the notepad method anyway.  To use named access-lists, use the following command:

ip access-list extended <name>  (use whatever name you want, it is case sensitive)
permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet
...

To remove the second line without removing the entire list, you can do the following:

ip access-list extended <name>
no permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet

Only the one command will be removed, all others will remain.
0
 
Don JohnstonInstructorCommented:
You guys know we have sequence numbers on ACL's now, right?

I don't know about y'all, but I've been waiting YEARS for this.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s14/fsaclseq.htm

-Don
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
PennGwynCommented:
We have sequence numbers ON RECENT VERSIONS of IOS.  All we know about this router is that it's a 2600 -- there's an awful lot of gear out there on 11.2 still....

0
 
sachhamAuthor Commented:
hello ALL

thanks for your reply , but my problem still same if i do name base access-list like this

ip access-list extended <name> aaa
permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet

ip access-list extended <name>  bbb
permit tcp 192.168.64.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.64.0 0.0.0.7 host 203.78.173.25 eq telnet

in this seniro i can only put access-group aaa in /out   or access-group bbb in/out in interface ethernet 0/0
i cant put both aaa and bbb access-list in single interface
i want to put more then one access-group in single interface ,,,, is there any other command so that i can put more then one access-group put in singe interface

0
 
JFrederick29Commented:
Why not just combine the two lists?

ip access-list extended aaa
permit tcp 192.168.65.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.65.0 0.0.0.7 host 203.78.173.25 eq telnet
permit tcp 192.168.64.0 0.0.0.7 host 203.78.172.34 eq www
permit tcp 192.168.64.0 0.0.0.7 host 203.78.173.25 eq telnet

You can not add more than one access-list in the same direction on an interface.

0
 
Don JohnstonInstructorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

RECOMMENDATION: Award points to JFrederick29

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

donjohnston
EE Cleanup Volunteer
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now