Extended IP Access-list

As we all have learned in our pursuit to CCNA there are many different types of access-list. In reality most commonly used are ip access lists.

Major difference between ip standaard access-list an ip extended access-list is the ability to insert and remove entries within the ACL. When an entry has to be removed with in an standard ACL the entire ASL need to be removed and added again. The latter off course without the ACE which needs removal.

A extended ACL has slightly more steps but has some major benefits. Let say you have the following ACL;

access-list 130 permit ip host 1.1.1.1 host 99.99.99.99
access-list 130 permit ip host 3.3.3.3 any
access-list 130 deny ip any any

And the entry “permit ip host 3.3.3.3 any” must be replace with “permit ip host 3.3.3.3 host 99.99.99.99”

The following steps need to be taken are;

  • Obtain information about the ‘rule number’
  • Insert new ACE
  • Remove wrong ACE
  • Resequence rule numbers

Obtain rule number information

R4#sh access-lists 130
Extended IP access list 130
 10 permit ip host 1.1.1.1 host 99.99.99.99
 20 permit ip host 3.3.3.3 any
 30 deny ip any any

Insert new ACE

Rule 11 until 19 are free to use. Same goes for 21 until 29. Let use number 15.

R4#conf
*Feb 19 13:13:35.871: %SYS-5-CONFIG_I: Configured from console by console
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#ip access-list extended 130 
R4(config-ext-nacl)#15 permit ip host 3.3.3.3 host 99.99.99.99
R4(config-ext-nacl)#end
R4#
*Feb 19 13:14:24.206: %SYS-5-CONFIG_I: Configured from console by console
R4#sh access-lists 130 
Extended IP access list 130
 10 permit ip host 1.1.1.1 host 99.99.99.99
 15 permit ip host 3.3.3.3 host 99.99.99.99
 20 permit ip host 3.3.3.3 any
 30 deny ip any any

Remove wrong ACE

ACE that needs removal has rule number 20. Removal is as easy as “no 20” within the access-list.

R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#ip access-list extended 130 
R4(config-ext-nacl)#no 20
R4(config-ext-nacl)#exit
R4(config)#end 
*Feb 19 13:18:32.452: %SYS-5-CONFIG_I: Configured from console by console
R4#sh ip access-lists 130 
Extended IP access list 130
 10 permit ip host 1.1.1.1 host 99.99.99.99
 15 permit ip host 3.3.3.3 host 99.99.99.99
 30 deny ip any any
R4#

The rule numbers are somewhat borked. This needs a little repair.

Resequence rule numbers

Repair command is;

ip access-list resequence

R4#
*Feb 19 13:22:42.838: %SYS-5-CONFIG_I: Configured from console by console
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#ip access-list resequence 130 10 10
R4(config)#end
R4#sh 
*Feb 19 13:23:12.473: %SYS-5-CONFIG_I: Configured from console by console

R4#sh access-list 130 
Extended IP access list 130
 10 permit ip host 1.1.1.1 host 99.99.99.99
 20 permit ip host 3.3.3.3 host 99.99.99.99
 30 deny ip any any
R4#

Naturally the most important benefit is that the access-list is applied all the time. In regard of the standard ip access-list; a slight modification results in removing the ACL and re-instating the ACL again. You will never know which traffic passes the interface while working on the access-list.

The same applies for named access-list.

Advertisements
This entry was posted in CCNP, Commands and tagged , , , , . Bookmark the permalink.