• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 318
  • Last Modified:

Cisco 1605-R

I have a 1605-R Cisco Router. I need to shrink my configuration.. I'm running Version 11.2

Here is what my config looks like

access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP1
access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP2
access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP3
access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP4

access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP1
access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP2
access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP3
access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP4

So i have this huge access list with random IPs which need to access the same 4 IPs. Is there anyway to create a group??

Thanks
0
inf2300
Asked:
inf2300
  • 2
1 Solution
 
lrmooreCommented:
>access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP4
>access-list 103 permit ip 10.0.0.21 0.0.0.255 host IP1

Since 10.0.0.1 and 10.0.0.21 are both covered by mask 0.0.0.255, then
All you need is one set of 4 lines:

 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP1
 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP2
 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP3
 access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP4




0
 
inf2300Author Commented:
Thanks for the reply...

I can't do that because it's punctual IPs that need access and not the entire range. For example i would need to access to 10.0.0.21, 10.0.0.36, 10.0.0.164. I know it would be very simple if i could put them in the same subnet but i can't. I don't control that network.

So is there anyway to create a group that would contain IP1, IP2, IP3 & IP4 so that i would only then have one line per 10.0.0.0 IP. This would shrink my config by 75%

Thanks
0
 
lrmooreCommented:
>access-list 103 permit ip 10.0.0.1 0.0.0.255 host IP4
Given the mask that you show here "0.0.0.255" you are already including the entire range of 10.0.0.0/24.
There is no value in continuing with it the way it is.

You would have to change it to:
access-list 103 permit ip host 10.0.0.1 host IP1
access-list 103 permit ip host 10.0.0.1 host IP2
access-list 103 permit ip host 10.0.0.1 host IP3
access-list 103 permit ip host 10.0.0.1 host IP4
access-list 103 permit ip host 10.0.0.21 host IP1
access-list 103 permit ip host 10.0.0.21 host IP2
access-list 103 permit ip host 10.0.0.21 host IP3
access-list 103 permit ip host 10.0.0.21 host IP4

Given this, and given that there is not way to create a group for acls in IOS (you can with PIX FW), your best bet may be to choose a shorter list of IPs to allow. Instead of inividual permits which allows all but a handful of hosts, how about the other way around - use a shorter list of deny and one permit:

access-list 103 deny ip host 10.0.0.13 host IP1
access-list 103 deny ip host 10.0.0.13 host IP2
access-list 103 deny ip host 10.0.0.13 host IP3
access-list 103 deny ip host 10.0.0.13 host IP4

access-list 103 deny ip host 10.0.0.22 host IP1
access-list 103 deny ip host 10.0.0.22 host IP2
access-list 103 deny ip host 10.0.0.22 host IP3
access-list 103 deny ip host 10.0.0.22 host IP4

access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP1
access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP2
access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP3
access-list 103 permit ip 10.0.0.0 0.0.0.255 host IP4


0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now