How can I insert a line into an existing ACL on Routers? Cisco Forum FAQOption 1: IOS image supports ACL line number
If the IOS image running on the router supports ACL line number, then following is the procedure you can follow.
First do a show access-list at the exec prompt
Note the line numbering in the required access-list e.g.:
Then enter config mode and insert the line you want to add, prefixing it with the appropriate number to position it where you want in the list (substitute standard for extended in the example below if you are working with a standard ACL):
If you repeat the show access-list you should find the deny just where you want it ;)
Below is a full example with a named extended ACL
The suggested next step is to renumber the access-list starting from 10 by step of 10 using the following command
This method has been tested with both IOS 12.3 and 12.4 and works with standard, extended, numbered and named ACLs.
Note that on older IOS image version, you may have to issue service linenumber command to activate the ACL line numbering. In newer IOS image version, this command is already activated by default; therefore there is no need to reissue the command.
Option 2: IOS image does not support ACL line number
When the router IOS image does not support ACL line number, then following is the procedure you can follow.
1. Copy the ACL into a text editor (i.e. Notepad).
2. On the text editor, insert the ACL line.
3. Verify that your work is correct and will not bring down production time.
4. On router, unapply the ACL temporarily off the router.
5. Remove the ACL off the router.
6. Copy the updated ACL from the text editor into the router.
7. Verify that the router already have the updated ACL.
8. When the router does have the updated ACL, reapply the ACL as existing condition.
Illustration
You have the following on your router
You need to have the ACL 100 to look like the following
Following the above steps, here are what you should do
1. Copy the existing ACL 100 to your text editor
Tips:
Let's say your Notepad as the text editor. On the router, highlight the access list. Copy the highlighted and paste to Notepad.
2. On the text editor, insert the ACL line (the "access-list 100 permit tcp any any eq 80")
access-list 100 permit tcp any any eq 80
access-list 100 permit udp any eq 53 any
access-list 100 permit tcp any any established
access-list 100 deny ip any any
3. Verify that the updated ACL 100 on the text editor is correct and will not bring down production time.
4. On router, unapply the ACL temporarily off the router.
5. Remove the ACL off the router
6. Copy the updated ACL from the text editor into the router.
Tips:
Let's say you use Notepad as the text editor. On the Notepad, you should have the following
Have the router to be at global configuration mode, like following
Router#
Highlight all of the above command lines on the Notepad (from "conf t" to "end"), select copy of the highlighted and paste to the router.
7. Verify that the router already have the updated ACL.
8. When the router does have the updated ACL, reapply the ACL as existing condition back to the interface
Important Note:
The illustration assumes that the ACL 100 is only applied to a single interface. When the same ACL is applied to multiple interfaces, you need to unapply and reapply the ACL on all interfaces.
When the ACL is applied under specific interface or specific line terminal (i.e. line vty), then the above procedure should be applicable during the router production time. When the ACL is relating to NAT or routing process, then there would be some down time. If the down time is unavoidable, verify that the ACL modification process is being done after hours or off-hours.
Don't forget that you can lock yourself out of a router by making a mistake when working with ACLs. Worse, your ACL work could bring production time down. If you are working remotely and it is possible to reload the router afterward, it is particularly important that you consider issuing a reload in x command where x is the number of minutes that will pass before the router will reload itself. Then if you lock yourself out you know the router will be reset within x minutes. When you are happy the changes are correct you can write the new config and cancel the reload with reload cancel.
When it it not possible to reload and you are working remotely, then you should have out-of-band access as alternate access. This out-of-band access is a dedicated line that goes directly to the router console port. A lot of out-of-band access is setup using analog dialup modem via POTS line; although many organizations also use Frame Relay, DSL, or cable modem for faster access.
feedback form
by Phraxos edited by aryoba
last modified: 2008-06-14 11:52:15