Access List

Answered Question
Nov 7th, 2007
User Badges:

Hi


We have access list and it is over 100 commands. can we have simple way to remove one access list of them? or add one access list in between them, (not at the end of the whole ACL)?


Thank you

Correct Answer by keller.oliver about 9 years 6 months ago

Oldschool : Work with an editor


Just edit some textfile offline and then paste it to the session you have with the machine.


For example if you have ACL 101, then the text would look like :


! clear the existing ACL 101

no access-list 101

! new ACL rules 101

access-list 101 permit x

access-list 101 permit y

access-list 101 deny z

...

!

END

!



If you're in config mode and transfer that, the existing ACL is cleared and instantly filled with the new rules. Plus, it's more convenient to do cut, copy and paste in an external editor compared to even named ACLs, so you have a better view on what you're doing.


Just my two cent ;)


Beware :


Extended IP ACL : access-list [nr] ....

Named IP ACL : ip access-list extended [name]


It's easy to forget the "ip" when you're too familiar with the "numbered ACL" version ;)

Correct Answer by Edison Ortiz about 9 years 6 months ago

Yes, you can use named ACLs instead of numbered ACLs.


Example,


Rack1R2#sh run | sec ip access

ip access-list extended anita

permit ip any 192.168.1.0 0.0.0.255

permit ip any 192.168.2.0 0.0.0.255

permit ip any 192.168.3.0 0.0.0.255

permit ip any 192.168.4.0 0.0.0.255


Now, let's say I want to have any entry between 192.168.3.0 and 192.168.4.0


Rack1R2#show ip acces

Extended IP access list anita

10 permit ip any 192.168.1.0 0.0.0.255

20 permit ip any 192.168.2.0 0.0.0.255

30 permit ip any 192.168.3.0 0.0.0.255

40 permit ip any 192.168.4.0 0.0.0.255


Rack1R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R2(config)#ip access-list extended anita

Rack1R2(config-ext-nacl)#35 deny ip any 192.168.4.0 0.0.0.31

Rack1R2(config-ext-nacl)#do show ip acce

Extended IP access list anita

10 permit ip any 192.168.1.0 0.0.0.255

20 permit ip any 192.168.2.0 0.0.0.255

30 permit ip any 192.168.3.0 0.0.0.255

35 deny ip any 192.168.4.0 0.0.0.31

40 permit ip any 192.168.4.0 0.0.0.255





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
Edison Ortiz Wed, 11/07/2007 - 07:55
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Yes, you can use named ACLs instead of numbered ACLs.


Example,


Rack1R2#sh run | sec ip access

ip access-list extended anita

permit ip any 192.168.1.0 0.0.0.255

permit ip any 192.168.2.0 0.0.0.255

permit ip any 192.168.3.0 0.0.0.255

permit ip any 192.168.4.0 0.0.0.255


Now, let's say I want to have any entry between 192.168.3.0 and 192.168.4.0


Rack1R2#show ip acces

Extended IP access list anita

10 permit ip any 192.168.1.0 0.0.0.255

20 permit ip any 192.168.2.0 0.0.0.255

30 permit ip any 192.168.3.0 0.0.0.255

40 permit ip any 192.168.4.0 0.0.0.255


Rack1R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R2(config)#ip access-list extended anita

Rack1R2(config-ext-nacl)#35 deny ip any 192.168.4.0 0.0.0.31

Rack1R2(config-ext-nacl)#do show ip acce

Extended IP access list anita

10 permit ip any 192.168.1.0 0.0.0.255

20 permit ip any 192.168.2.0 0.0.0.255

30 permit ip any 192.168.3.0 0.0.0.255

35 deny ip any 192.168.4.0 0.0.0.31

40 permit ip any 192.168.4.0 0.0.0.255





Correct Answer
keller.oliver Thu, 11/08/2007 - 04:58
User Badges:

Oldschool : Work with an editor


Just edit some textfile offline and then paste it to the session you have with the machine.


For example if you have ACL 101, then the text would look like :


! clear the existing ACL 101

no access-list 101

! new ACL rules 101

access-list 101 permit x

access-list 101 permit y

access-list 101 deny z

...

!

END

!



If you're in config mode and transfer that, the existing ACL is cleared and instantly filled with the new rules. Plus, it's more convenient to do cut, copy and paste in an external editor compared to even named ACLs, so you have a better view on what you're doing.


Just my two cent ;)


Beware :


Extended IP ACL : access-list [nr] ....

Named IP ACL : ip access-list extended [name]


It's easy to forget the "ip" when you're too familiar with the "numbered ACL" version ;)

Actions

This Discussion