11-09-2009 06:40 AM - edited 03-06-2019 08:31 AM
sh access-list 99
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (31 matches)
20 permit 192.168.9.0, wildcard bits 0.0.0.255
30 permit 172.17.1.0, wildcard bits 0.0.0.255 (29 matches)
40 permit 172.17.3.0, wildcard bits 0.0.0.255 (41 matches)
50 permit 192.168.6.0, wildcard bits 0.0.0.255 (29 matches)
60 deny any (150 matches)
How can I add another line before deny statement without removing access-list 99 and applying again
11-09-2009 06:46 AM
Like this...
55 permit......
Mike
11-09-2009 07:38 AM
access-list 99 permit 192.168.1.0 0.0.0.255
access-list 99 permit 192.168.9.0 0.0.0.255
access-list 99 permit 172.17.1.0 0.0.0.255
access-list 99 permit 172.17.3.0 0.0.0.255
access-list 99 permit 192.168.6.0 0.0.0.255
access-list 99 deny any
My question was how to add another line before deny statement in one step
11-09-2009 07:48 AM
Sorry totally misread the question. Having one of those days.
I am not 100% sure how after looking at it.
I will defer to others who have much more knowledge than I.
Mike
11-09-2009 07:49 AM
you can't, only with named access-lists can you insert ace's.
11-09-2009 08:06 AM
I just tried on one of our test switches and srue is absolutely correct.
And sorry for my errant post earlier.
Mike
11-09-2009 12:11 PM
Hello all.
It is possible to add new lines to numbered ACLs in later releases of code. The output below was on a router running 12.4(21)
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 99 permit 192.168.1.0 0.0.0.255
R1(config)#access-list 99 permit 192.168.9.0 0.0.0.255
R1(config)#access-list 99 permit 172.17.1.0 0.0.0.255
R1(config)#access-list 99 permit 172.17.3.0 0.0.0.255
R1(config)#access-list 99 permit 192.168.6.0 0.0.0.255
R1(config)#access-list 99 deny any
R1(config)#do show access-list 99
Standard IP access list 99
10 permit 192.168.1.0, wildcard bits 0.0.0.255
20 permit 192.168.9.0, wildcard bits 0.0.0.255
30 permit 172.17.1.0, wildcard bits 0.0.0.255
40 permit 172.17.3.0, wildcard bits 0.0.0.255
50 permit 192.168.6.0, wildcard bits 0.0.0.255
60 deny any
R1(config)#ip access-list standard 99
R1(config-std-nacl)#55 permit 192.168.11.0 0.0.0.255
R1(config-std-nacl)#do show access-list
Standard IP access list 99
10 permit 192.168.1.0, wildcard bits 0.0.0.255
20 permit 192.168.9.0, wildcard bits 0.0.0.255
30 permit 172.17.1.0, wildcard bits 0.0.0.255
40 permit 172.17.3.0, wildcard bits 0.0.0.255
50 permit 192.168.6.0, wildcard bits 0.0.0.255
55 permit 192.168.11.0, wildcard bits 0.0.0.255
60 deny any
R1(config-std-nacl)#
Simon
11-09-2009 12:18 PM
that's a named access-list..it just so happens you named it '99'.
11-09-2009 12:28 PM
Hello Srue.
No it isn't. If you look at how I configured it I used 'access-list 99' and not 'ip access-list standard 99'
You can try it yourself if you still need convincing. Also a simple google search shows pages which back up my configuration
http://blog.internetworkexpert.com/2008/01/03/editing-numbered-access-lists-on-the-fly/
Simon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: