Solved

Cisco 1605-R

Posted on 2006-10-23
5
308 Views
Last Modified: 2010-04-17
I have a 1605-R Cisco Router. I need to shrink my configuration.. I'm running Version 11.2

Here is what my config looks like

access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP1
access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP2
access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP3
access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP4

access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP1
access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP2
access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP3
access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP4

So i have this huge access list with random IPs which need to access the same 4 IPs. Is there anyway to create a group??

Thanks
0
Comment
Question by:inf2300
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17791894
>access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP4
>access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP1

Since 10.0.0.1 and 10.0.0.21 are both covered by mask 0.0.0.255, then
All you need is one set of 4 lines:

 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP1
 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP2
 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP3
 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP4




0
 

Author Comment

by:inf2300
ID: 17795346
Thanks for the reply...

I can't do that because it's punctual IPs that need access and not the entire range. For example i would need to access to 10.0.0.21, 10.0.0.36, 10.0.0.164. I know it would be very simple if i could put them in the same subnet but i can't. I don't control that network.

So is there anyway to create a group that would contain IP1, IP2, IP3 & IP4 so that i would only then have one line per 10.0.0.0 IP. This would shrink my config by 75%

Thanks
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17795419
>access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP4
Given the mask that you show here "0.0.0.255" you are already including the entire range of 10.0.0.0/24.
There is no value in continuing with it the way it is.

You would have to change it to:
access-list 103 permit ip host 10.0.0.1 host IP1
access-list 103 permit ip host 10.0.0.1 host IP2
access-list 103 permit ip host 10.0.0.1 host IP3
access-list 103 permit ip host 10.0.0.1 host IP4
access-list 103 permit ip host 10.0.0.21 host IP1
access-list 103 permit ip host 10.0.0.21 host IP2
access-list 103 permit ip host 10.0.0.21 host IP3
access-list 103 permit ip host 10.0.0.21 host IP4

Given this, and given that there is not way to create a group for acls in IOS (you can with PIX FW), your best bet may be to choose a shorter list of IPs to allow. Instead of inividual permits which allows all but a handful of hosts, how about the other way around - use a shorter list of deny and one permit:

access-list 103 deny ip host 10.0.0.13 host IP1
access-list 103 deny ip host 10.0.0.13 host IP2
access-list 103 deny ip host 10.0.0.13 host IP3
access-list 103 deny ip host 10.0.0.13 host IP4

access-list 103 deny ip host 10.0.0.22 host IP1
access-list 103 deny ip host 10.0.0.22 host IP2
access-list 103 deny ip host 10.0.0.22 host IP3
access-list 103 deny ip host 10.0.0.22 host IP4

access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP1
access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP2
access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP3
access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP4


0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month5 days, 6 hours left to enroll

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question