Today in this post we will see how to add , remove and resequence entries in an ACL.
So we have an existing acl named techstuff
Let's check this acl.
R1#sh ip access-lists techstuff
Extended IP access list techstuff
10 permit ip 10.0.0.0 0.0.0.255 any
20 permit ip 20.0.0.0 0.0.0.255 any
30 permit ip 30.0.0.0 0.0.0.255 any
40 permit ip 40.0.0.0 0.0.0.255 any
50 permit ip 50.0.0.0 0.0.0.255 any
Now , Need to deny host 20.1.1.1 in the ACL
Hence need to add the entry before entry with sequence number 20
R1(config)#ip access-list extended techstuff
R1(config-ext-nacl)#15 deny ip host 20.1.1.1 any
R1(config-ext-nacl)#do sh ip access-list techstuff
Extended IP access list techstuff
10 permit ip 10.0.0.0 0.0.0.255 any
15 deny ip host 20.1.1.1 any <--------------- New entry
20 permit ip 20.0.0.0 0.0.0.255 any
30 permit ip 30.0.0.0 0.0.0.255 any
40 permit ip 40.0.0.0 0.0.0.255 any
50 permit ip 50.0.0.0 0.0.0.255 any
Now lets see how to remove an entry
R1(config)#ip access-list extended techstuff
R1(config-ext-nacl)#no 40
R1(config-ext-nacl)#do sh ip access-list techstuff
Extended IP access list techstuff
10 permit ip 10.0.0.0 0.0.0.255 any
15 deny ip host 20.1.1.1 any
20 permit ip 20.0.0.0 0.0.0.255 any
30 permit ip 30.0.0.0 0.0.0.255 any
50 permit ip 50.0.0.0 0.0.0.255 any
Here we can see the start sequence number is 10 but the intervals between the entries are not even
Lets make the interval as 10
R1(config)#ip access-list ?
extended Extended Access List
log-update Control access list log updates
logging Control access list logging
resequence Resequence Access List
standard Standard Access List
R1(config)#ip access-list reseque
R1(config)#ip access-list resequence ?
<1-99> Standard IP access-list number
<100-199> Extended IP access-list number
<1300-1999> Standard IP access-list number (expanded range)
<2000-2699> Extended IP access list number (expanded range)
WORD Access-list name
R1(config)#ip access-list resequence techstuff ?
<1-2147483647> Starting Sequence Number
R1(config)#ip access-list resequence techstuff 10 ?
<1-2147483647> Step to increment the sequence number
R1(config)#ip access-list resequence techstuff 10 10
R1(config)#^Z
R1#sh ip access-list techstuff
Extended IP access list techstuff
10 permit ip 10.0.0.0 0.0.0.255 any
20 deny ip host 20.1.1.1 any
30 permit ip 20.0.0.0 0.0.0.255 any
40 permit ip 30.0.0.0 0.0.0.255 any
50 permit ip 50.0.0.0 0.0.0.255 any
Hope Guys !!! You find this blog informative and useful !!!
Thanks!!!!
So we have an existing acl named techstuff
Let's check this acl.
R1#sh ip access-lists techstuff
Extended IP access list techstuff
10 permit ip 10.0.0.0 0.0.0.255 any
20 permit ip 20.0.0.0 0.0.0.255 any
30 permit ip 30.0.0.0 0.0.0.255 any
40 permit ip 40.0.0.0 0.0.0.255 any
50 permit ip 50.0.0.0 0.0.0.255 any
Now , Need to deny host 20.1.1.1 in the ACL
Hence need to add the entry before entry with sequence number 20
R1(config)#ip access-list extended techstuff
R1(config-ext-nacl)#15 deny ip host 20.1.1.1 any
R1(config-ext-nacl)#do sh ip access-list techstuff
Extended IP access list techstuff
10 permit ip 10.0.0.0 0.0.0.255 any
15 deny ip host 20.1.1.1 any <--------------- New entry
20 permit ip 20.0.0.0 0.0.0.255 any
30 permit ip 30.0.0.0 0.0.0.255 any
40 permit ip 40.0.0.0 0.0.0.255 any
50 permit ip 50.0.0.0 0.0.0.255 any
Now lets see how to remove an entry
R1(config)#ip access-list extended techstuff
R1(config-ext-nacl)#no 40
R1(config-ext-nacl)#do sh ip access-list techstuff
Extended IP access list techstuff
10 permit ip 10.0.0.0 0.0.0.255 any
15 deny ip host 20.1.1.1 any
20 permit ip 20.0.0.0 0.0.0.255 any
30 permit ip 30.0.0.0 0.0.0.255 any
50 permit ip 50.0.0.0 0.0.0.255 any
Here we can see the start sequence number is 10 but the intervals between the entries are not even
Lets make the interval as 10
R1(config)#ip access-list ?
extended Extended Access List
log-update Control access list log updates
logging Control access list logging
resequence Resequence Access List
standard Standard Access List
R1(config)#ip access-list reseque
R1(config)#ip access-list resequence ?
<1-99> Standard IP access-list number
<100-199> Extended IP access-list number
<1300-1999> Standard IP access-list number (expanded range)
<2000-2699> Extended IP access list number (expanded range)
WORD Access-list name
R1(config)#ip access-list resequence techstuff ?
<1-2147483647> Starting Sequence Number
R1(config)#ip access-list resequence techstuff 10 ?
<1-2147483647> Step to increment the sequence number
R1(config)#ip access-list resequence techstuff 10 10
R1(config)#^Z
R1#sh ip access-list techstuff
Extended IP access list techstuff
10 permit ip 10.0.0.0 0.0.0.255 any
20 deny ip host 20.1.1.1 any
30 permit ip 20.0.0.0 0.0.0.255 any
40 permit ip 30.0.0.0 0.0.0.255 any
50 permit ip 50.0.0.0 0.0.0.255 any
Hope Guys !!! You find this blog informative and useful !!!
Thanks!!!!
Very informative article on real time usage of acl .
ReplyDelete