[c-nsp] How to add new rule in the same access-list

E. Versaevel erik at infopact.nl
Thu Feb 5 07:10:04 EST 2009


Garry schreef:
> Seth Mattinen wrote:
>> Deric Kwok wrote:
>>   
>>> Hi
>>>
>>> I have old rule in the switch but don't know how to add new rule in the same
>>> access-list
>>>
>>> When I add new deny rule, it will be put at the end of the access-list
>>>
>>> If I remove the access-list 140, I have to re-type all lines again.
>>>
>>>     
>> That's correct. You need to remove and recreate it in the correct order
>> lacking sequences.
>>   
> Not necessarily, you can always do a "show access-list 140", you'll get
> a numbered list of rules. Then you can delete single lines by doing
> something like this:
> 
> conf t
> ip access-list extended 140
> no 30                <-- if the line you want to get rid of is #30
> 30 permit ...      <-- of course you can add a new #30
> 31 permit ...      <-- or insert additional lines ...
> 32 deny ...         <-- dito
> 
> AFAIK, the numbering stays constant until the next router reload
> ...then, it is "renumbered" internally to use the 10-20-30... distance
> for every line ... (if anybody knows a way to renumber w/o rebooting,
> please let me know)
> 

Time to read back a bit :)

Cisco has 2 kind of access-lists, the 'old' numbered access-lists

access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip any any

These cannot be editted other than deleting them and recreating the modified access-list (which might result in blackholing yourself if you delete the
access-list without removing it from the interfaces ;) as a non exsisting access-list on a interface equals deny any any)

The 2nd kind of access-list are the ip access-lists, these have sequence numbers and thus provide a way to insert/remove single entries from these lists.
The sequence numbers are reset after a router reload or can be resequenced by hand (ip access-list resequence list_name 10 10)
So in order to insert an entry in a ip access-list you need to know the available sequence numbers. If you issue a show ip access-list you'll get an
overview of the access-lists (and sequence numbers)



Erik Versaevel


More information about the cisco-nsp mailing list