We help IT Professionals succeed at work.

Cisco 1605-R

inf2300
inf2300 asked
on
Medium Priority
359 Views
Last Modified: 2010-04-17
I have a 1605-R Cisco Router. I need to shrink my configuration.. I'm running Version 11.2

Here is what my config looks like

access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP1
access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP2
access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP3
access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP4

access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP1
access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP2
access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP3
access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP4

So i have this huge access list with random IPs which need to access the same 4 IPs. Is there anyway to create a group??

Thanks
Comment
Watch Question

Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
>access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP4
>access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP1

Since 10.0.0.1 and 10.0.0.21 are both covered by mask 0.0.0.255, then
All you need is one set of 4 lines:

 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP1
 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP2
 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP3
 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP4




Author

Commented:
Thanks for the reply...

I can't do that because it's punctual IPs that need access and not the entire range. For example i would need to access to 10.0.0.21, 10.0.0.36, 10.0.0.164. I know it would be very simple if i could put them in the same subnet but i can't. I don't control that network.

So is there anyway to create a group that would contain IP1, IP2, IP3 & IP4 so that i would only then have one line per 10.0.0.0 IP. This would shrink my config by 75%

Thanks
Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
>access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP4
Given the mask that you show here "0.0.0.255" you are already including the entire range of 10.0.0.0/24.
There is no value in continuing with it the way it is.

You would have to change it to:
access-list 103 permit ip host 10.0.0.1 host IP1
access-list 103 permit ip host 10.0.0.1 host IP2
access-list 103 permit ip host 10.0.0.1 host IP3
access-list 103 permit ip host 10.0.0.1 host IP4
access-list 103 permit ip host 10.0.0.21 host IP1
access-list 103 permit ip host 10.0.0.21 host IP2
access-list 103 permit ip host 10.0.0.21 host IP3
access-list 103 permit ip host 10.0.0.21 host IP4

Given this, and given that there is not way to create a group for acls in IOS (you can with PIX FW), your best bet may be to choose a shorter list of IPs to allow. Instead of inividual permits which allows all but a handful of hosts, how about the other way around - use a shorter list of deny and one permit:

access-list 103 deny ip host 10.0.0.13 host IP1
access-list 103 deny ip host 10.0.0.13 host IP2
access-list 103 deny ip host 10.0.0.13 host IP3
access-list 103 deny ip host 10.0.0.13 host IP4

access-list 103 deny ip host 10.0.0.22 host IP1
access-list 103 deny ip host 10.0.0.22 host IP2
access-list 103 deny ip host 10.0.0.22 host IP3
access-list 103 deny ip host 10.0.0.22 host IP4

access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP1
access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP2
access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP3
access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP4


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.