Named ACLs

Unanswered Question
Jun 18th, 2007

Hi

Can anybody tell me the logics behind letting to delete individual lines from a named ACL but denying so with a numbered ACL?

This just seems like some sort of an inconsistent OS development to me, doesn't make any sense at all...

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
royalblues Sun, 06/24/2007 - 13:23

Actually you can extend the same logic of named access-list on the numbered access-list as well.

I do it all the time.

Here's an example

say you have a numbered access-list

access-list 100 permit ip host 172.16.100.1 any

access-list 100 permit ip host 172.16.200.1 any

access-list 100 permit ip host 172.16.110.1 any

access-list 100 permit ip host 172.16.120.1 any

Now if you want to remove the 2nd line from the accesslist all you have to do is to use extended as the name of the access-list to delete an entry

type

(config)#ip access-list extended 100

(router-config-nacl)#no permit ip host 172.16.200.1 any

This would remove only the 2nd line from the access-list.

If your access-list number is in the range of 1-99 use the name standard instead of extended.

So it is not always necessary to use named access-list :-)

HTH, rate if it does

Narayan

syedsohailsarwar Wed, 06/27/2007 - 10:01

using cisco 12.3 version IOS , a specific line can be inserted or deleted from an numbered access-list

example

sh run | i access-list 100

10 permit tcp any host 172.31.1.254 eq www

20 deny tcp any any eq 23

30 permit ip any any

and let us say that we want to add one more line to the existing list without using old method of copy /paste on notepad , modify and paste back

see how it works

R01# conf t

R01(config)#ip access-list extended 100

R01(config-nacl)# 7 permit ip any any eq 21

R01(config-nacl)#exit

R01(config)# ip access-list resequence 100 5 5

R01(config)#exit

100 is the listno

5 is starting no

and another 5 is step (increment )

so check again

sh run | i access-list 100

5 permit tcp any host 172.31.1.254 eq www

10 permit ip any any eq 21

15 deny tcp any any eq 23

20 permit ip any any

syedsohailsarwar Wed, 06/27/2007 - 10:03

there was some typo so neglect that

5 permit tcp any any eq 21

10 permit tcp any host 172.31.1.254 eq www

15 deny tcp any any eq 23

20 permit ip any any

exkor5000 Wed, 06/27/2007 - 13:58

Hi

Thanks alot for your feedback.

You've actually used the "resequence" command.

I was referring to the case where you cannot use it.

I was just puzzled by the way IOS was designed. I find those weird things all the time and I just keep asking myself whether there is some sort of logic behind the way things are, or is it that the IOS development passed through so many developers that it becomes more and more inconsistent.

So far I've been studying for my CCNA and the more I interact with IOS the more I think it is not so convenient as everyone says it is. Or the phrase "the powerful features of the IOS" doesn't really show to be true. I've worked on a number of different OSes (excluding the Windows line of course) and I believe that Cisco could have done a much better job on designing a good OS for their hardware which is more sense making to the administrator.

For instance take the Bash shell (common on most linux based systems), it is so straight forward to the user that it almost speaks for itself, where as the IOS CLI, you need to get certified to know how to properly work with it.

Anywayz, just a general opinion.

Never the less I still need my cert so...

cheers

mheusing Thu, 06/28/2007 - 00:28

Hi,

A small comment: one of the reasons for some "inconsistencies", as you call them, is downward compatibility. Be aware, that IOS is around for many years. So you find many examples, where "old style" and "new style" features are supported in parallel - ACLs are one example.

The main reason for keeping the "old" stuff is, that many customer request it. They want to be able to upgrade the IOS on an existing platform without modifying the config. Or they simply use classical standard/extended ACLs because they are used to do it this way since years. This requires that the software supports both command sets.

I agree that this might be confusing to beginner/learner but the majority of customers is simply used to it.

If you look for IOS XR, this is a "new" - actually version 3.4 - software with a consistent CLI and a quite different architecture.

Where I might add that "consistency" is also dependant on personal preferences.

One more remark: in case you do not like the CLI, then use SNMP or SDM to configure most features on the router - there are many ways getting things done.

Regards, Martin

exkor5000 Thu, 06/28/2007 - 03:38

Hi Martin

you have a good point about downward compatibility!

I didn't try the "new" OS as of yet.

And yes, I don't really like the IOS 12.x CLI, but for the exam I have to know it.

My point was that time could of been spent more efficiently in studying if the CLI was more down to earth. It's not complex it's just confusing and weird when I compare it to other OSes and their shells/CLIs.

But you made a good point in regards to compatibility and I assume this explains everything at this point.

Thanks for your feedback

Cheers :)

Actions

This Discussion