[c-nsp] tclsh and ip access list help

Brandon Bennett bennetb at gmail.com
Tue Nov 25 19:19:43 EST 2008 

On Tue, Nov 25, 2008 at 4:00 PM, a. rahman isnaini r.sutan
<risnaini at indo.net.id> wrote:
> That's Cisco default, no access-list x command will remove entire
> access-list x from your config.
> Safe way from being disconnected is ensuring your ip is allowed & remove ip
> access-group in interface before making any change to acl in global config.
>
> Or it might cisco developing kind of 'sequential' access-list whit '
> insertable ' command :)
>

Named access-list can do this now.  You can even use named access-list
type commands on numbered ACLS

You can actually achive this Cisco's new named access-lists.  You can
even use the named access-list commands on numbers acls.

For Example

Router(config)# access-list 10 permit 10.0.0.0 0.255.255.255
Router(config)#access-list 10 permit 172.16.0.0 0.0.255.255
Router(config)#access-list 10 remark this is for telnet
Router(config)#access-list 10 deny   any log
Router(config)#end
Router#show access-list 10
Standard IP access list 10
    10 permit 10.0.0.0, wildcard bits 0.255.255.255
    20 permit 172.16.0.0, wildcard bits 0.0.255.255
    30 deny   any log
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip access-list standard 10
Router(config-std-nacl)#25 permit 192.168.0.0 0.0.0.255
Router(config-std-nacl)#end
Router#show access-list 10
Standard IP access list 10
    10 permit 10.0.0.0, wildcard bits 0.255.255.255
    20 permit 172.16.0.0, wildcard bits 0.0.255.255
    25 permit 192.168.0.0, wildcard bits 0.0.0.255
    30 deny   any log
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip access-list ?
  extended    Extended Access List
  log-update  Control access list log updates
  logging     Control access list logging
  resequence  Resequence Access List
  standard    Standard Access List

Router(config)#ip access-list re
Router(config)#ip access-list resequence ?
  <1-99>       Standard IP access-list number
  <100-199>    Extended IP access-list number
  <1300-1999>  Standard IP access-list number (expanded range)
  <2000-2699>  Extended IP access list number (expanded range)
  WORD         Access-list name

Router(config)#ip access-list resequence 10 ?
  <1-2147483647>  Starting Sequence Number

Router(config)#ip access-list resequence 10 10 ?
  <1-2147483647>  Step to increment the sequence number

Router(config)#ip access-list resequence 10 10 10 ?
  <cr>

Router(config)#ip access-list resequence 10 10 10
Router(config)#end
Router#show access-list 10
Standard IP access list 10
    10 permit 10.0.0.0, wildcard bits 0.255.255.255
    20 permit 172.16.0.0, wildcard bits 0.0.255.255
    30 permit 192.168.0.0, wildcard bits 0.0.0.255
    40 deny   any log
Router#


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

-Brandon

More information about the cisco-nsp mailing list