access-list 99 permit 192.168.1.0 0.0.0.255

access-list 99 permit 192.168.9.0 0.0.0.255

access-list 99 permit 172.17.1.0 0.0.0.255

access-list 99 permit 172.17.3.0 0.0.0.255

access-list 99 permit 192.168.6.0 0.0.0.255

access-list 99 deny any

My question was how to add another line before deny statement in one step

Sorry totally misread the question. Having one of those days.

I am not 100% sure how after looking at it.

I will defer to others who have much more knowledge than I.

Mike

you can't, only with named access-lists can you insert ace's.

I just tried on one of our test switches and srue is absolutely correct.

And sorry for my errant post earlier.

Mike

Hello all.

It is possible to add new lines to numbered ACLs in later releases of code. The output below was on a router running 12.4(21)

R1#config t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#access-list 99 permit 192.168.1.0 0.0.0.255

R1(config)#access-list 99 permit 192.168.9.0 0.0.0.255

R1(config)#access-list 99 permit 172.17.1.0 0.0.0.255

R1(config)#access-list 99 permit 172.17.3.0 0.0.0.255

R1(config)#access-list 99 permit 192.168.6.0 0.0.0.255

R1(config)#access-list 99 deny any

R1(config)#do show access-list 99

Standard IP access list 99

10 permit 192.168.1.0, wildcard bits 0.0.0.255

20 permit 192.168.9.0, wildcard bits 0.0.0.255

30 permit 172.17.1.0, wildcard bits 0.0.0.255

40 permit 172.17.3.0, wildcard bits 0.0.0.255

50 permit 192.168.6.0, wildcard bits 0.0.0.255

60 deny any

R1(config)#ip access-list standard 99

R1(config-std-nacl)#55 permit 192.168.11.0 0.0.0.255

R1(config-std-nacl)#do show access-list

Standard IP access list 99

10 permit 192.168.1.0, wildcard bits 0.0.0.255

20 permit 192.168.9.0, wildcard bits 0.0.0.255

30 permit 172.17.1.0, wildcard bits 0.0.0.255

40 permit 172.17.3.0, wildcard bits 0.0.0.255

50 permit 192.168.6.0, wildcard bits 0.0.0.255

55 permit 192.168.11.0, wildcard bits 0.0.0.255

60 deny any

R1(config-std-nacl)#

Simon

that's a named access-list..it just so happens you named it '99'.

Hello Srue.

No it isn't. If you look at how I configured it I used 'access-list 99' and not 'ip access-list standard 99'

You can try it yourself if you still need convincing. Also a simple google search shows pages which back up my configuration

http://blog.internetworkexpert.com/2008/01/03/editing-numbered-access-lists-on-the-fly/

Simon