ACL

aksher · ‎03-14-2006

the procedure to add a new entry in access list

1)no access-list dmz deny ip any any

( make changes)

or

2) if there is no entry access-list dmz deny ip any any

then can use no access-list dmz deny ip any any

(make changes)

or compile the whole ACL

jackko · ‎03-14-2006

assuming you just want to add a new entry at the end of an acl, you don't really need to unapply and remove the entire acl.

e.g.

router(config)#do sh run | in access-list 155

access-list 155 permit icmp any any

access-list 155 permit esp any any

router(config)#access-list 155 permit gre any any

EGMNSWSYDR01(config)#do sh run | in access-list 155

access-list 155 permit icmp any any

access-list 155 permit esp any any

access-list 155 permit gre any any

however, as you already know, acl works in order. in other words, if there is a deny statement has a higher order in the acl, you may need to unapply and remote the entire acl in order to make changes.

an alternative is to use extended acl, which you may be specify each entry with the sequence number.

e.g.

router(config-ext-nacl)#do sh access-l test

Extended IP access list test

10 permit icmp any any

30 permit gre any any

router(config-ext-nacl)#20 permit esp any any

router(config-ext-nacl)#do sh access-l test

Extended IP access list test

10 permit icmp any any

20 permit esp any any

30 permit gre any any