Re: [OSL | CCIE_RS] Extended ACL - Need Help

Mon, 12 May 2008 04:37:45 -0700 

Yup, you can have multiple lines for the same numbered access-list as long
as  CPU of your router can handle it J

 

You can use a feature of sequence number for the extended access-lists. This
feature does not support the old style numbered access-list. This feature
makes revising IP access lists much easier. 

 

 

Router(config)#ip access-list extended JAHIL

Router(config-ext-nacl)#?

Ext Access List configuration commands:

  <1-2147483647>  Sequence Number ("Can you really have an access list up to
this number J" )

 

Router#sh access-lists JAHIL

Extended IP access list JAHIL (Compiled)

    10 permit ip 131.1.23.0 0.0.0.255 131.1.12.0 0.0.0.255

    20 permit ip 131.1.23.0 0.0.0.255 any

 

Regards,

Masood Ahmad Shah

BLOG: http://www.weblogs.com.pk/jahil/

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Morris
Sent: Monday, May 12, 2008 9:54 AM
To: 'Amir.Tahir/Wateen/Lahore'; [email protected]
Subject: Re: [OSL | CCIE_RS] Extended ACL - Need Help

 

Yeah....  You can have multiple lines in an ACL.  The 'any' keyword
certainly summarizes but obviously permits MANY more matches than just the
loopback and 131.1.12.0/24 network!

 

ACL and the logic are covered on the DocCD as well.  Check out:

 

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.html#w
p1013358

 

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schacls.
html

 

HTH,

 


Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor

[EMAIL PROTECTED]

 

Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com

 

 

 

 

  _____  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Amir.Tahir/Wateen/Lahore
Sent: Monday, May 12, 2008 12:14 AM
To: [email protected]
Subject: [OSL | CCIE_RS] Extended ACL - Need Help

Hi there,

 

With reference to extended access list topic I would like to clarify couple
of things

 

access-list  101 permit ip 131.1.23.0 0.0.0.255 131.1.12.0 0.0.0.255

As per my understanding the above ACL states that if a packet who's source
is network "131.1.23.x with destination address 131.1.12.0/24 could be
permitted only.  

 

In order to have access of R1's loopback, in addition to above mentioned ACL
I have to create another access list to permit loopback's interface.  like
access-list  101 permit ip 131.1.23.0 0.0.0.255 1.1.1.0 0.0.0.255

 

To permit both of the network in one single line, can I compile them like
the following ACL

access-list  101 permit ip 131.1.23.0 0.0.0.255 any

 

...Please correct me if I am wrong

 

 

 

Regards / AT

Reply via email to