Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

What's the proper behavior of Standard ACLs?

Hi, I have a question regarding the Standard ACL.

If I have 1000 lines of ACEs in an standard ACL, and I remove one ACE from the standard ACL, should this ACL be completely gone? Or we should have the rest of 999 ACEs still there?

Thanks!

5 REPLIES
Hall of Fame Super Gold

Re: What's the proper behavior of Standard ACLs?

How did you remove your ACL?  The safest method is to copy your ACLs to a Notepad/Wordpad and remove the line(s) and then cut-n-paste it back to the appliance.

Cisco Employee

Re: What's the proper behavior of Standard ACLs?

Say I have configured:

access-list 10 deny   130.0.0.1
access-list 10 deny 120.0.0.1

access-list 10 deny   130.0.1.1

access-list 10 permit  any

The I want to remove the first ACE,

if I do a "no access-list 10 deny   130.0.0.1", it will remove all 4 ACEs, the access-list is completely gone.

Is this expected? Should we have at least the other 3 ACEs left?

Thanks!

Hall of Fame Super Gold

Re: What's the proper behavior of Standard ACLs?

If you have access-list 10 and 20, for instance, and when you issue the command "no access-list 10", it will wipe out all access-list 10 only.  Access-list 20 will be left behind.

Cisco Employee

Re: What's the proper behavior of Standard ACLs?

So I can't just remove the first ACE of this ACL 10? I want to keep the rest of ACEs in ACL 10 un
taced.

Do you mean I should use a different number for each rule?

The second statement for access list 10 will not overwrite the first statement of access list 10, they will con-exist.

But removing the 1st statement of access list 10 will remove all statements regarding access list 10?

Thanks!

Hall of Fame Super Gold

Re: What's the proper behavior of Standard ACLs?

Ok.  So you want to remove ONE (or more) selected offending line from your ACL.  Let's take your example:


access-list 10 deny 130.0.0.1
access-list 10 deny 120.0.0.1
access-list 10 deny 130.0.1.1
access-list 10 permit  any


Let's say you want to remove "access-list 10 deny 130.0.1.1".  Cut-n-paste your original ACL into a Wordpad or Notepad and you'll wind up with something like this:

conf t
no access-list 10
access-list 10 deny 130.0.0.1
access-list 10 deny 120.0.0.1
access-list 10 permit  any
end
wr


Cut-n-paste everything back into your ACE.

308
Views
0
Helpful
5
Replies
CreatePlease to create content