Cisco Router ACLs - Add entry

Posted on 2012-08-14
Medium Priority
Last Modified: 2012-08-18
I have done done anything with Cisco routers in years, but since the person that normally does this is out, I need to update an ACL on the router.  This is what I have:

An inbound ACL called "ip access-group 101 in" under a GB interface in the config.  There are a bunch of rules in the config in the following format:

access-list 101 permit tcp host host eq domain

What I'd like to do is simply add another rule to the end that blocks anything from  I remember something about having to completely get rid of the ACL then cut and paste from a text file.  But is this necessary if I just want to append to the 101 ACL? Will this work ok (just add to the end of 101):

Router> enable
Router# config t
Router(config)# access-list 101 deny ip any
Router# show access-list 101

I just want to make sure I'm not missing anything.  I don't want to inadvertently take down the whole ACL. I may also need to add a few rules to allow a new system to access dns servers as well:

Router(config)# access-list 101 permit tcp host host eq domain
Router(config)# access-list 101 permit udp host host eq domain

Router is a Cisco 2821 Version 12.1
Question by:credog
  • 2
  • 2
  • 2
  • +1
LVL 13

Assisted Solution

xDUCKx earned 100 total points
ID: 38292339
If you're updating an ACL from the CLI you need to get rid of it with the "no" command and then put in the updated ACL.  In this case, you're appending so your command will work.  Note, when updating from the CLI the ACL will be added to the end of the config.  And the router processes from the top down.

Should your netmask be rather then
LVL 13

Expert Comment

ID: 38292348
access-list 101 deny ip mask any any

 access-list 101 permit tcp host mask host mask eq domain
access-list 101 permit udp host mask host mask eq domain

Open in new window


Author Comment

ID: 38292912
I think when using  Cisco ACLS, the wildcard mask is used.  In this case indicates the host only?  I guess I could also use:
Router(config)# access-list 101 deny ip host any

Open in new window

I want to make sure the series of commands I specified above are correct, will block all traffic and will add the rule to the end of access-list 101.
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

LVL 23

Accepted Solution

Mysidia earned 1000 total points
ID: 38294965
The answer is NO, you don't have to delete an unnamed ACL of that type to append to the end of it. But the problem is that there will likely be a "permit"   before the end of the ACL already,  that will override the DENY you are about to add to the end;   if   the ACL ends with a "permit any"  your appended DENY might actually not even be added.

That's why you could need to paste the contents into notepad,  and either delete and re-create the list, OR  create a new ACL with a new number, with the changes you want,  and then update all the references to point to the new ACL.

The latter needs to be done,  unless deleting the ACL and then re-creating with the very first statement will not lock you out or cause a network disruption.

Entering  a command like
access-list 101 deny host any
for example

Will append an entry  to access-list 101.   However,  if no entry in the original access-list matches, the default is DENY,  so if the access list in its current form isn't alrleady denying what you want, there must be a PERMIT earlier in the list, and,  appending a Deny  to the end is not going to fix it.

That is if  ""  is already permitted by the ACL,  appending   "deny"  to the end is not going to stop it.       The only case where it makes sense to append a  DENY line to an ACL is    that there is no PERMIT earlier in the list that matches,  and you   intend to append a PERMIT after the DENY;   the order of the ACL entries matters,   earliest match in the list wins.

Entries are processed in the order listed in the acl;
as soon as a "PERMIT" or "DENY" line is matched,  processing of the access list stops.
If there is no match, the response is a DENY.

"I think when using  Cisco ACLS, the wildcard mask is used.  In this case indicates the host only?"

On Cisco routers and switches this is correct; the mask used on an ACL is a wildcard mask,  and in an ACL is a /32.   One procedure for converting a network mask to a wildcard mask is to subtract  the value of each octet from 255.

On  Firewalls such as the PIX or ASA,   the ACL mask value is a network mask,  not a wildcard mask,  so beware.

Do this:

show access-list 101

On some routers, you will see the following
Extended IP access list 101:
    10  ......
    20 .......
    30 ........
    40 ..........

If you do  see the numbers in front of each entry, then that means your router supports the feature referred to as "numbered access lists",  and access-list 101 has been numbered

You could then do

conf t
ip access-list extended 101
5 deny ip host any

To insert an entry at position 5

And similarly

"no 20"
to delete the access list entry   that has that number  listed in front of it.

For access lists in the standard range   e.g.  access-list number 50   that would be
"ip access-list standard 50"

On some router platforms, and also on older versions of IOS,
numbered access lists are not supported,    and you may have to resort
to more inconvenient measures to edit entries in an existing ACL
(other than appending to the end)

Assisted Solution

stilldmoney earned 900 total points
ID: 38295017
If your router supports NACL (Numbered ACLs as stated by Mysidia) then you can append the ACL without having to use the conventional method (copy/paste).

Append ACL by inserting lines with seq numbers:

Router (config)# ip access-list 101 extended
Router (config-ext-nacl) 55 deny ip any
Router (config-ext-nacl) 65 permit tcp host host eq domain
Router (config-ext-nacl) 75 permit udp host host eq domain

Most likely you may have a

permit any any

line at the end so make sure it stays last if it is being specified (otherwise you will cause more problems than you need to)

Make sure you use seq numbers to insert the lines you want to append where the seq # does not match a previous line. Do NOT use the same seq # or you will overwrite something.

As always make sure you backup your configs before making changes your not sure about (trusty notepad).

Router # show run | include access-list 101

to show only the lines in access-list 101 and copy that info to notepad (it may come in handy).

Author Closing Comment

ID: 38306590
Great feedback. Thanks.
LVL 23

Expert Comment

ID: 38307087
Well, I would not suggest you try and create a duplicate sequence number on a production router,  but it should fail if you try;  which is to say at least as of IOS 12.3,  you cannot do that.

routerXC9(config-ext-nacl)#20 permit tcp any any  eq 80
% Duplicate sequence number
routerXC9(config-ext-nacl)#do show access-list 105
Extended IP access list 105
    10 permit ip host  any (90162 matches)
    20 permit ip host any (587 matches)
routerXC9(config-ext-nacl)#do show run | inc access-list 105
access-list 105 permit ip host any
access-list 105 permit ip host any

Use   "show access-list (NUMBER)"
to see the existing sequence numbers.

Show 'run'   will not in general list the sequence numbers of the NACL,
because the sequence numbers are not part of the configuration.

When configuring, in config-ext-nacl mode, if you specify no sequence number at all just the "permit" or "deny" statement;  then  the new entry will be added to the very end,  and the appended entry will have a sequence number divisible by 10,  for example  "10 20 30 40 50 60 70 80 90 100....".

Note that upon reboot, the sequence numbers will also be renumbered, in that manner,  spaced out by 10,   so don't go and try   to build out a complex numbering scheme.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question