cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
547
Views
0
Helpful
3
Replies

2500 router for access-lists

fernando_paul
Level 1
Level 1

Hi all,

I am just trying to understand the access-lists on a 2500 router. After typing command sh access-lists, I've noticed "standard access list 1" 2, 3, 10, 11 ,12 and 90. I don't understand why these access list numbers are set, what they mean and would like some help with understanding this concept.

Also, does the wildcard bits signify the subnet mask of that network address? Thanks in advance...

3 Replies 3

svermill
Level 4
Level 4

If you do a search on CCO you will get more information about access lists than you ever wanted. The fact that those numbers exist means that someone explicity assigned them on your router at some point. All access lists numbered from 1 to 99 are "standard." They are meaningless by themselves. They only have signifigance when associated with an interface.

The wildcard mask is somewhat opposite of a subnet mask. A zero in the wildcard mask means that this part of the address must match exactly for a condition to be met. Ones in the wildcard mask mean "don't consider."

10.1.1.1 and 10.254.254.254 both match 10.0.0.0 0.255.255.255 but neither matches 10.0.0.0 0.0.0.0.

Great!! Thanks for that.

Last question...

If I have a network address that I need allow access into us and out to them...say for eg: 172.35.45.0 / 26 ,would the command be 'access-list 20 permit 172.35.45.0 0.0.0.255' . Also, if I need to remove that statement, what command can I use. If I use 'no access-list 20' it will remove that entire access list and group...There are no more commands after that one to remove the single individual access-list entry that I've just inserted. Is there a way to do this on the 2500 router? This is in case the access addition does not work properly and I need to remove it from running-config.

Thanks again...

If you want to remove a single access-list statement from an access-list group, you will have to remove the entire group, and re-add it without the statement you want removed. This is an IOS feature and is not specific to the 2500 series router.

The easiest way to accomplish this is to do a "show running-config", locate the access-list group in question, and copy it to a text editor like Notepad. Then issue the no access-list # command to remove the access-list from the running-config. Next, in your text editor, edit the access-list group to make the necessary changes, copy the new version back into memory, and paste it back into your running-config.

Don't forget to do a "copy running-config startup-config" after you've tested your new statements!

Good luck!

Matt

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco