[c-nsp] acces list help and best way to do acess-list

lee.e.rian at census.gov lee.e.rian at census.gov
Sat Nov 1 11:00:52 EDT 2008 

>1/ how can I prevent it happens?

line vty 0 4
  no access-class 20 in


>2/ What is the best way to do the access-list in "line vty"?

How perfect can you be? <grin>   If you aren't going to make any mistakes,
  create a file on a tftp server that has the
  no access-list 20
  access-list 20 ...
  access-list 20 ...
and do a conf net to get the changes applied.

If make typos as often as I do, remove the access list from the vty,
 recreate the access list and, if there's no mistakes, reapply the access
 list:
 line vty 0 4
   no access-class 20 in
 no access-list 20
 access-list 20 ...
 access-list 20 ...
 line vty 0 4
  access-class 20 in

Even better is using a different access list number.  I don't bother for
 vtys, but on our ISP link I alternate between access list numbers:
 no access-list 21
 access-list 21 ...
 access-list 21 ...
 line vty 0 4
   access-class 21 in


>3/ ls it good to use log in access-list?
>Not sure how router busy or not?

It is extra overhead... but it's also a real easy way to see what's being
blocked.  Just be sure that the console logging level is low enough so that
stuff doesn't get logged to the console.  I like "no logging console" - but
I watch the logs from a syslog server, so YMMV

Regards,
Lee


-----adrian kok wrote: -----

>Hi
>
>I have this original access-list in running config
>
>access-list 20 deny 192.168.0.0
>access-list 20 permit any
>line vty 0 4
>access-class 20 in
>
>
>
>and want to change to add log "access-list 20 deny
>192.168.0.0 0.0.0.255 log"
>
>When I change
>router(config)#access-list 20 deny 192.168.0.0
>0.0.0.255 log
>I realize it can't be changed and have to use "no"
>router(config)#no access-list 20 deny 192.168.0.0
>0.0.0.255
>
>
>
>When I use this command, I almost lost the connection
>from anywhere.
>
>My questions
>
>1/ how can I prevent it happens?
>
>2/ What is the best way to do the access-list in "line
>vty"?
>
>3/ ls it good to use log in access-list?
>Not sure how router busy or not?
>
>thank you

More information about the cisco-nsp mailing list