Cisco Router ACLs - Add entry

Posted on 2012-08-14
Last Modified: 2012-08-18
I have done done anything with Cisco routers in years, but since the person that normally does this is out, I need to update an ACL on the router.  This is what I have:

An inbound ACL called "ip access-group 101 in" under a GB interface in the config.  There are a bunch of rules in the config in the following format:

access-list 101 permit tcp host host eq domain

What I'd like to do is simply add another rule to the end that blocks anything from  I remember something about having to completely get rid of the ACL then cut and paste from a text file.  But is this necessary if I just want to append to the 101 ACL? Will this work ok (just add to the end of 101):

Router> enable
Router# config t
Router(config)# access-list 101 deny ip any
Router# show access-list 101

I just want to make sure I'm not missing anything.  I don't want to inadvertently take down the whole ACL. I may also need to add a few rules to allow a new system to access dns servers as well:

Router(config)# access-list 101 permit tcp host host eq domain
Router(config)# access-list 101 permit udp host host eq domain

Router is a Cisco 2821 Version 12.1
Question by:credog
    LVL 13

    Assisted Solution

    If you're updating an ACL from the CLI you need to get rid of it with the "no" command and then put in the updated ACL.  In this case, you're appending so your command will work.  Note, when updating from the CLI the ACL will be added to the end of the config.  And the router processes from the top down.

    Should your netmask be rather then
    LVL 13

    Expert Comment

    access-list 101 deny ip mask any any
     access-list 101 permit tcp host mask host mask eq domain
    access-list 101 permit udp host mask host mask eq domain

    Open in new window


    Author Comment

    I think when using  Cisco ACLS, the wildcard mask is used.  In this case indicates the host only?  I guess I could also use:
    Router(config)# access-list 101 deny ip host any

    Open in new window

    I want to make sure the series of commands I specified above are correct, will block all traffic and will add the rule to the end of access-list 101.
    LVL 23

    Accepted Solution

    The answer is NO, you don't have to delete an unnamed ACL of that type to append to the end of it. But the problem is that there will likely be a "permit"   before the end of the ACL already,  that will override the DENY you are about to add to the end;   if   the ACL ends with a "permit any"  your appended DENY might actually not even be added.

    That's why you could need to paste the contents into notepad,  and either delete and re-create the list, OR  create a new ACL with a new number, with the changes you want,  and then update all the references to point to the new ACL.

    The latter needs to be done,  unless deleting the ACL and then re-creating with the very first statement will not lock you out or cause a network disruption.

    Entering  a command like
    access-list 101 deny host any
    for example

    Will append an entry  to access-list 101.   However,  if no entry in the original access-list matches, the default is DENY,  so if the access list in its current form isn't alrleady denying what you want, there must be a PERMIT earlier in the list, and,  appending a Deny  to the end is not going to fix it.

    That is if  ""  is already permitted by the ACL,  appending   "deny"  to the end is not going to stop it.       The only case where it makes sense to append a  DENY line to an ACL is    that there is no PERMIT earlier in the list that matches,  and you   intend to append a PERMIT after the DENY;   the order of the ACL entries matters,   earliest match in the list wins.

    Entries are processed in the order listed in the acl;
    as soon as a "PERMIT" or "DENY" line is matched,  processing of the access list stops.
    If there is no match, the response is a DENY.

    "I think when using  Cisco ACLS, the wildcard mask is used.  In this case indicates the host only?"

    On Cisco routers and switches this is correct; the mask used on an ACL is a wildcard mask,  and in an ACL is a /32.   One procedure for converting a network mask to a wildcard mask is to subtract  the value of each octet from 255.

    On  Firewalls such as the PIX or ASA,   the ACL mask value is a network mask,  not a wildcard mask,  so beware.

    Do this:

    show access-list 101

    On some routers, you will see the following
    Extended IP access list 101:
        10  ......
        20 .......
        30 ........
        40 ..........

    If you do  see the numbers in front of each entry, then that means your router supports the feature referred to as "numbered access lists",  and access-list 101 has been numbered

    You could then do

    conf t
    ip access-list extended 101
    5 deny ip host any

    To insert an entry at position 5

    And similarly

    "no 20"
    to delete the access list entry   that has that number  listed in front of it.

    For access lists in the standard range   e.g.  access-list number 50   that would be
    "ip access-list standard 50"

    On some router platforms, and also on older versions of IOS,
    numbered access lists are not supported,    and you may have to resort
    to more inconvenient measures to edit entries in an existing ACL
    (other than appending to the end)
    LVL 1

    Assisted Solution

    If your router supports NACL (Numbered ACLs as stated by Mysidia) then you can append the ACL without having to use the conventional method (copy/paste).

    Append ACL by inserting lines with seq numbers:

    Router (config)# ip access-list 101 extended
    Router (config-ext-nacl) 55 deny ip any
    Router (config-ext-nacl) 65 permit tcp host host eq domain
    Router (config-ext-nacl) 75 permit udp host host eq domain

    Most likely you may have a

    permit any any

    line at the end so make sure it stays last if it is being specified (otherwise you will cause more problems than you need to)

    Make sure you use seq numbers to insert the lines you want to append where the seq # does not match a previous line. Do NOT use the same seq # or you will overwrite something.

    As always make sure you backup your configs before making changes your not sure about (trusty notepad).

    Router # show run | include access-list 101

    to show only the lines in access-list 101 and copy that info to notepad (it may come in handy).

    Author Closing Comment

    Great feedback. Thanks.
    LVL 23

    Expert Comment

    Well, I would not suggest you try and create a duplicate sequence number on a production router,  but it should fail if you try;  which is to say at least as of IOS 12.3,  you cannot do that.

    routerXC9(config-ext-nacl)#20 permit tcp any any  eq 80
    % Duplicate sequence number
    routerXC9(config-ext-nacl)#do show access-list 105
    Extended IP access list 105
        10 permit ip host  any (90162 matches)
        20 permit ip host any (587 matches)
    routerXC9(config-ext-nacl)#do show run | inc access-list 105
    access-list 105 permit ip host any
    access-list 105 permit ip host any

    Use   "show access-list (NUMBER)"
    to see the existing sequence numbers.

    Show 'run'   will not in general list the sequence numbers of the NACL,
    because the sequence numbers are not part of the configuration.

    When configuring, in config-ext-nacl mode, if you specify no sequence number at all just the "permit" or "deny" statement;  then  the new entry will be added to the very end,  and the appended entry will have a sequence number divisible by 10,  for example  "10 20 30 40 50 60 70 80 90 100....".

    Note that upon reboot, the sequence numbers will also be renumbered, in that manner,  spaced out by 10,   so don't go and try   to build out a complex numbering scheme.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
    There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now