Solved: Access List

anitachoi3 · ‎11-07-2007

Hi

We have access list and it is over 100 commands. can we have simple way to remove one access list of them? or add one access list in between them, (not at the end of the whole ACL)?

Thank you

Edison Ortiz · ‎11-07-2007

Yes, you can use named ACLs instead of numbered ACLs.

Example,

Rack1R2#sh run | sec ip access

ip access-list extended anita

permit ip any 192.168.1.0 0.0.0.255

permit ip any 192.168.2.0 0.0.0.255

permit ip any 192.168.3.0 0.0.0.255

permit ip any 192.168.4.0 0.0.0.255

Now, let's say I want to have any entry between 192.168.3.0 and 192.168.4.0

Rack1R2#show ip acces

Extended IP access list anita

10 permit ip any 192.168.1.0 0.0.0.255

20 permit ip any 192.168.2.0 0.0.0.255

30 permit ip any 192.168.3.0 0.0.0.255

40 permit ip any 192.168.4.0 0.0.0.255

Rack1R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R2(config)#ip access-list extended anita

Rack1R2(config-ext-nacl)#35 deny ip any 192.168.4.0 0.0.0.31

Rack1R2(config-ext-nacl)#do show ip acce

Extended IP access list anita

10 permit ip any 192.168.1.0 0.0.0.255

20 permit ip any 192.168.2.0 0.0.0.255

30 permit ip any 192.168.3.0 0.0.0.255

35 deny ip any 192.168.4.0 0.0.0.31

40 permit ip any 192.168.4.0 0.0.0.255

View solution in original post

keller.oliver · ‎11-08-2007

Oldschool : Work with an editor

Just edit some textfile offline and then paste it to the session you have with the machine.

For example if you have ACL 101, then the text would look like :

! clear the existing ACL 101

no access-list 101

! new ACL rules 101

access-list 101 permit x

access-list 101 permit y

access-list 101 deny z

...

!

END

!

If you're in config mode and transfer that, the existing ACL is cleared and instantly filled with the new rules. Plus, it's more convenient to do cut, copy and paste in an external editor compared to even named ACLs, so you have a better view on what you're doing.

Just my two cent ;)

Beware :

Extended IP ACL : access-list [nr] ....

Named IP ACL : ip access-list extended [name]

It's easy to forget the "ip" when you're too familiar with the "numbered ACL" version ;)

View solution in original post

Edison Ortiz · ‎11-07-2007

Yes, you can use named ACLs instead of numbered ACLs.

Example,

Rack1R2#sh run | sec ip access

ip access-list extended anita

permit ip any 192.168.1.0 0.0.0.255

permit ip any 192.168.2.0 0.0.0.255

permit ip any 192.168.3.0 0.0.0.255

permit ip any 192.168.4.0 0.0.0.255

Now, let's say I want to have any entry between 192.168.3.0 and 192.168.4.0

Rack1R2#show ip acces

Extended IP access list anita

10 permit ip any 192.168.1.0 0.0.0.255

20 permit ip any 192.168.2.0 0.0.0.255

30 permit ip any 192.168.3.0 0.0.0.255

40 permit ip any 192.168.4.0 0.0.0.255

Rack1R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R2(config)#ip access-list extended anita

Rack1R2(config-ext-nacl)#35 deny ip any 192.168.4.0 0.0.0.31

Rack1R2(config-ext-nacl)#do show ip acce

Extended IP access list anita

10 permit ip any 192.168.1.0 0.0.0.255

20 permit ip any 192.168.2.0 0.0.0.255

30 permit ip any 192.168.3.0 0.0.0.255

35 deny ip any 192.168.4.0 0.0.0.31

40 permit ip any 192.168.4.0 0.0.0.255

keller.oliver · ‎11-08-2007

Oldschool : Work with an editor

Just edit some textfile offline and then paste it to the session you have with the machine.

For example if you have ACL 101, then the text would look like :

! clear the existing ACL 101

no access-list 101

! new ACL rules 101

access-list 101 permit x

access-list 101 permit y

access-list 101 deny z

...

!

END

!

If you're in config mode and transfer that, the existing ACL is cleared and instantly filled with the new rules. Plus, it's more convenient to do cut, copy and paste in an external editor compared to even named ACLs, so you have a better view on what you're doing.

Just my two cent ;)

Beware :

Extended IP ACL : access-list [nr] ....

Named IP ACL : ip access-list extended [name]

It's easy to forget the "ip" when you're too familiar with the "numbered ACL" version ;)