inserting a line into a cisco ACL

[groovin]

I have a preexisting ACL (100) on fa 0/0. i want to insert a new line into it before the default deny line. how do i do this? my CCNA book doesnt tell me squat.

 

[randal]

Usually, I make a brand new ACL that has all the entries from the original ACL plus the new one, and then I apply the new acl to the interface.

That's the way I learned to do it and honestly, I don't think there is a way to modify an ACL. I know that on BSD, you can number your ipfw rules like "10 (rule here) 20 (rule here" which means that you have 10 "slots" between each rule where you can put in new rules. I don't think cisco has anything similar.

Of course, I'm a novice compared to the guys here -- wait for a more knowledgable answer
randal

 

[cmetz]

sh run ! & capture to a text file
config term
int fa0/0
no ip access-group <x> in
! Remove the ACL from the interface before mucking with it.
! Unless you're very careful, you can get in big trouble otherwise.
no access-list <x>

go to your text file, add the line in the right place, and cut and paste it back in. Do so in small chunks.

 

[groovin]

i was thinking about just making a new access list then applying to the interface with:

router(config-int)# ip access-group 101 in

but do i need to unapply the previous ACL? will applying a new ACL affect any of the other non ACL settings on the interface like # no ip redirects, # no cdp enable ... etc??

i talked to some CCNA's and a CCNP and some just suggested i TFTP it and use word pad to edit the config file and reupload it.

yeah, im used to the open source way of doing things... being able to insert things at specific lines.

 

[groovin]

ttt

 

[spidey07]

cmetz provided the proper procedure.

use copy/paste when working with ACLs, make sure you remove the ACL from an interface first.

 

[groovin]

cut and paste, you mean upload it to TFPT and edit? sorry, since my CCNA studies, i forget just a bit more about cisco routers everyday. i appreciate the help guys

 

[spidey07]

cut and paste using a text editor

 

[groovin]

im going to try editing the config that i nab via TFTP. what text editor should i use? i tried wordpad but it keeps wanting to save the file as a txt. cmetz said to save to a text file, but i just wanted to make sure he meant text as in .txt

 

[spidey07]

try this...

while in the router type show run to see config.
use mouse to highlight ACL
copy using the edit menu
open notepad
paste
type what ever it is you need
copy entire ACL using the edit menu in notepad
back in the router remove the ACL from the interface
type no access-list xxx
paste what you copied from notepad.

 

[groovin]

do i need to paste it back into the router line by line? i am using putty and when i copy from notepad and paste back into the terminal screen the lines get weird. thanks alot for the help

 

[randal]

When I do it by telnet and I'm re-adding like a 100 line ACL, I just copy it from notepad, get to the telnet window and (in win2k) right click and it starts pasting it. Yea, it'll look crazy. Duplicate lines, chopped lines, $ symbols all over. Looks like it's hosing your router.

Don't worry, it's working -- it just doesn't look like it

randal

 

[groovin]

randal,

i guess ill give it a shot (on a test router first!). i use ssh through putty.exe not win2k telnet so im not exaclty sure how itd behave. either way, this is one of those real world things that the CCNA never required me to learn.

 

[randal]

Well, realize that telnet & ssh are both tcp based, and hence aren't going to lose any characters (unless you're doing it from like 30 hops away, in which case you should be hit with a broom). Just paste it, it'll go.

randal

 

[Garion]

Copy/paste through Putty is cake. Anytime you highlight something in Putty, it's automatically "copied". Show your config, highlight the ACL and paste it into notepad. To paste, just right-click.

I seem to recall that, in later versions of the IOS you can edit your ACL and add or remove lines dynamically without wiping it out and starting over like you used to have to do. I've never done it (don't get my hands on many Ciscos nowadays), but it's there.

- G

 

[groovin]

i hopped on my test router and practiced editing configs with different text editors. I used solarwinds cisco config editor as well as wordpad and both worked. i was able to tftp configs edited by wordpad without any problems. i didnt try doing anything ACL related by cutting and pasting. a friend of mine makes ACL (and other config changes by using various text editors and tftp like how i just did.

so i hope on the router i am trying to change at work via a putty/ssh session. i download the running config and add the ACL lines i needed in the approprate places

basically its just 2 lines: access-list 100 permit tcp any host x.x.x.x eq yy and anther one for udp. i just want to allow traffic destined to port yy to x.x.x.x. simple enough. so i added the lines where they should go (at least i think) and saved the config. i then tftp'd it back into the router. it uploaded fine except for an error saying "redundant 'match' "... when i do a sh run, the 2 lines i added were thrown to the back of the ACL behind the deny all.

does this mean that traffic to x.x.x.x:yy is already allowed?

so decided to revert back to the original config which i backed up before doing any of this. i tfpt'd it back into run, but the 2 lines of the ACL still remain at the bottom of the ACL section of the config!

but otherwise, everything seems to be working back to normal...

did i do somethig wrong?