ACLs insertion and management on 837.

Discussion in 'Cisco' started by AM, Jan 8, 2005.

  1. AM

    AM Guest

    Hi all,

    I noticed that if I have this ACL


    access-list 23 permit 123.456.789.101
    access-list 23 permit 102.34.24.67
    access-list 23 deny any

    and I tried to delete "access-list 23 permit 102.34.24.67" but 837 deletes all the 23 ACL.
    I mean it seem that any "no access-list 23 ..." deletes all items of ACL 23.
    Should I have to cut the ACL, modify it and then paste back to the router?
    Can I manage the ACL specifying the line?

    What about the several ranges of ACLs on my 837?

    <1-99> IP standard access list
    <100-199> IP extended access list
    <1100-1199> Extended 48-bit MAC address access list
    <1300-1999> IP standard access list (expanded range)
    <200-299> Protocol type-code access list
    <2000-2699> IP extended access list (expanded range)
    <700-799> 48-bit MAC address access list

    Have they different syntax? So the number 23 doesn't allow the use of line parameter?

    Thanks,

    Alex.
    AM, Jan 8, 2005
    #1
    1. Advertising

  2. AM

    AM Guest

    AM wrote:

    > Hi all,
    >
    > I noticed that if I have this ACL
    >
    >
    > access-list 23 permit 123.456.789.101
    > access-list 23 permit 102.34.24.67
    > access-list 23 deny any
    >
    > and I tried to delete "access-list 23 permit 102.34.24.67" but 837
    > deletes all the 23 ACL.
    > I mean it seem that any "no access-list 23 ..." deletes all items of ACL
    > 23.
    > Should I have to cut the ACL, modify it and then paste back to the router?
    > Can I manage the ACL specifying the line?
    >
    > What about the several ranges of ACLs on my 837?
    >
    > <1-99> IP standard access list
    > <100-199> IP extended access list
    > <1100-1199> Extended 48-bit MAC address access list
    > <1300-1999> IP standard access list (expanded range)
    > <200-299> Protocol type-code access list
    > <2000-2699> IP extended access list (expanded range)
    > <700-799> 48-bit MAC address access list
    >
    > Have they different syntax? So the number 23 doesn't allow the use of
    > line parameter?
    >
    > Thanks,
    >
    > Alex.


    Sorry, The I use ACL n. 23 to permit/allow ssh-telnet session to the router. I have an ACL 111
    applied on Dialer interface that permit incoming traffic on port 22- not 23. Consider this an extra
    information.

    Alex.
    AM, Jan 8, 2005
    #2
    1. Advertising

  3. In article <fwRDd.380368$>, AM <> wrote:
    :I noticed that if I have this ACL

    :access-list 23 permit 123.456.789.101
    :access-list 23 permit 102.34.24.67
    :access-list 23 deny any

    :and I tried to delete "access-list 23 permit 102.34.24.67" but 837 deletes all the 23 ACL.
    :I mean it seem that any "no access-list 23 ..." deletes all items of ACL 23.

    That is correct.

    :Should I have to cut the ACL, modify it and then paste back to the router?

    Not if the ACL might be affecting your connection to the device: you
    don't want to end up with an intermediate ACL in effect that locks
    you out because the paste of the 'permit' statement that lets you
    in wasn't the very first thing in the list. When you paste in ACL
    entries, they take effect immediately, one by one as you paste them.

    To avoid that, you can copy the ACL, put the modified version in
    a file, and tftp the file into the running-config: tftp'd configurations
    are completely read by IOS before being acted on.

    There are other strategies as well. I've described them in the past.

    :Can I manage the ACL specifying the line?

    Someone, I think it was Hansang, recently posted a tip that even
    if the ACL was created as a standard or extended ACL, you could
    treat it as a named ACL whose name was the ACL number. When you are
    working with named ACLs, there -are- facilities to edit in the middle.


    :What about the several ranges of ACLs on my 837?

    : <1-99> IP standard access list

    Pure layer 3. No protocols or port specifications allowed.

    : <100-199> IP extended access list

    Layer 4 -- you can specify protocols and ports.

    : <1100-1199> Extended 48-bit MAC address access list

    Only usable on bridged ports or ports doing layer 2 switching.
    An exception might be the new layer 2 filtering facilities on the
    2950/3550/3750 family.

    : <1300-1999> IP standard access list (expanded range)

    99 standard ACLs (#1 - #99) sometimes isn't enough.

    : <200-299> Protocol type-code access list

    Not sure when that would be used.

    : <2000-2699> IP extended access list (expanded range)

    100 extended ACLs (#100-#199) sometimes isn't enough.

    : <700-799> 48-bit MAC address access list

    Also only usable on bridge ports or layer 2 switching.


    :Have they different syntax? So the number 23 doesn't allow the use of line parameter?

    You need to use a -named- ACL for that purpose [unless Cisco got
    around to putting the functionality into 12.3T somewhere.]. You work with
    named ACLs via the 'ip access-list' command instead of the usual
    'access-list' command (with no 'ip' prefix.)
    See, e.g.,

    http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801f0304.html

    for some ways to work with named ACLs.
    --
    Disobey all self-referential sentences!
    Walter Roberson, Jan 8, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Fischer Karsten

    Online Insertion and Removal 7206VXR

    Fischer Karsten, Nov 30, 2004, in forum: Cisco
    Replies:
    6
    Views:
    1,450
    Karsten Fischer
    Dec 3, 2004
  2. AM
    Replies:
    0
    Views:
    365
  3. Replies:
    4
    Views:
    4,108
  4. Volodymyr Danishevskiy

    SUBJECT LINE INSERTION

    Volodymyr Danishevskiy, Jan 21, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    402
    Steve P
    Jan 21, 2005
  5. Gary C

    USB memory card reader disappears on card insertion

    Gary C, Apr 21, 2004, in forum: Digital Photography
    Replies:
    2
    Views:
    4,225
Loading...

Share This Page