ACL line numbering

[shazzam1]

Does my router support ACL line numbering? If so how do I add a line to the ACL and if not how to as well?

Thanks in advance.

SMC-GW2#sh ver
Cisco IOS Software, 3800 Software (C3825-IPBASEK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 18-Nov-06 23:16 by prod_rel_team

ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)

SMC-GW2 uptime is 3 weeks, 17 hours, 47 minutes
System returned to ROM by power-on
System image file is "flash:c3825-ipbasek9-mz.124-11.T.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 3825 (revision 1.0) with 226304K/35840K bytes of memory.
Processor board ID FTX0928A1N1
2 Gigabit Ethernet interfaces
1 Serial interface
1 Subrate T3/E3 port
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
62720K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2102

 

[North323]

config t
ip access-list extended SOMENAME
10 deny ip 14.2.6.0 0.0.0.255 any log
30 deny ip 127.0.0.0 0.255.255.255 any log
50 deny ip 10.0.0.0 0.255.255.255 any log
70 deny ip 172.16.0.0 0.15.255.255 any log
90 deny ip 192.168.0.0 0.0.255.255 any log
110 deny ip 192.0.2.0 0.0.0.255 any log
130 deny ip 169.254.0.0 0.0.255.255 any log
150 deny ip 224.0.0.0 15.255.255.255 any log
170 deny ip host 255.255.255.255 any log

blah blah blah

config t
int fa0/1 or what ever interface you want
ip access-group SOMENAME in ** or out, depending on your needs

 

[burtsbees]

Or a numbered acl as well, after like 12.2 or something...example from my router...

SMS-STL-Edge>en
Password:
SMS-STL-Edge#sh ver
Cisco IOS Software, 3600 Software (C3640-IK9O3S-M), Version 12.4(23), RELEASE SOFTWARE (fc1)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Sat 08-Nov-08 23:43 by prod_rel_team

ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

SMS-STL-Edge uptime is 1 day, 19 hours, 36 minutes
System returned to ROM by power-on
System restarted at 13:38:59 CST Mon Apr 20 2009
System image file is "flash:c3640-ik9o3s-mz.124-23.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 3640 (R4700) processor (revision 0x00) with 125952K/5120K bytes of memory.
Processor board ID 17654035
R4700 CPU at 100MHz, Implementation 33, Rev 1.0
2 Ethernet interfaces
DRAM configuration is 64 bits wide with parity enabled.
125K bytes of NVRAM.
32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x3922

SMS-STL-Edge#sh access-l 101
Extended IP access list 101
10 deny ip any host 192.168.3.1 (11208 matches)
20 deny ip any host 192.168.3.2
30 permit ip 192.168.69.0 0.0.0.255 any (4570 matches)
SMS-STL-Edge#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SMS-STL-Edge(config)#ip access-list extended 101
SMS-STL-Edge(config-ext-nacl)#5 deny ip any host 192.168.3.34
SMS-STL-Edge(config-ext-nacl)#exi
SMS-STL-Edge(config)#do sh access-l 101
Extended IP access list 101
5 deny ip any host 192.168.3.34
10 deny ip any host 192.168.3.1 (11208 matches)
20 deny ip any host 192.168.3.2
30 permit ip 192.168.69.0 0.0.0.255 any (4574 matches)
SMS-STL-Edge(config)#ip access-l ex 101
SMS-STL-Edge(config-ext-nacl)#no 5
SMS-STL-Edge(config-ext-nacl)#end
SMS-STL-Edge#wr
Building configuration...
[OK]
SMS-STL-Edge#sh access-l 101
Extended IP access list 101
10 deny ip any host 192.168.3.1 (11208 matches)
20 deny ip any host 192.168.3.2
30 permit ip 192.168.69.0 0.0.0.255 any (4575 matches)
SMS-STL-Edge#

Burt

 

[sirlollypop]

The only way to edit using the sequence number is on a Extended ACL so using a acl number over 101 or using a named ACL. Which I prefer.

 

[burtsbees]

Nope---first off, it is 100 or higher for extended acl's. Second, you can do the same with standard acl's...

SMS-STL-Edge(config)#access-list 20 permit any
SMS-STL-Edge(config)#access-list 20 deny 10.0.0.0 0.255.255.255
SMS-STL-Edge(config)#do sh access-list 20
Standard IP access list 20
10 permit any
20 deny 10.0.0.0, wildcard bits 0.255.255.255
SMS-STL-Edge(config)#ip access-list standard 20
SMS-STL-Edge(config-std-nacl)#no 20
SMS-STL-Edge(config-std-nacl)#exi
SMS-STL-Edge(config)#do sh access-list 20
Standard IP access list 20
10 permit any
SMS-STL-Edge(config)#

Burt