Easy ACL question

Discussion in 'Cisco' started by philbo30, Aug 1, 2007.

  1. philbo30

    philbo30 Guest

    I have the following access list, configured in the router as:

    access-list 1624 permit 10.33.224.0 0.0.0.255
    access-list 1624 permit 172.22.20.0 0.0.0.15
    access-list 1624 permit 10.160.224.0 0.0.0.255

    The "show access-list 1624" command shows:
    Standard IP access list 1624
    10 permit 10.33.224.0, wildcard bits 0.0.0.255 (11389 matches)
    20 permit 172.22.20.0, wildcard bits 0.0.0.15
    30 permit 10.160.224.0, wildcard bits 0.0.0.255 (2515 matches)

    I want to remove the last line, line "30" while leaving the rest of
    the ACL intact.

    What is the command to make this happen?
    philbo30, Aug 1, 2007
    #1
    1. Advertising

  2. philbo30

    Chris Guest

    On Wed, 01 Aug 2007 13:28:06 -0700, philbo30 wrote:

    > I have the following access list, configured in the router as:
    >
    > access-list 1624 permit 10.33.224.0 0.0.0.255
    > access-list 1624 permit 172.22.20.0 0.0.0.15
    > access-list 1624 permit 10.160.224.0 0.0.0.255
    >
    > The "show access-list 1624" command shows:
    > Standard IP access list 1624
    > 10 permit 10.33.224.0, wildcard bits 0.0.0.255 (11389 matches)
    > 20 permit 172.22.20.0, wildcard bits 0.0.0.15
    > 30 permit 10.160.224.0, wildcard bits 0.0.0.255 (2515 matches)
    >
    > I want to remove the last line, line "30" while leaving the rest of
    > the ACL intact.
    >
    > What is the command to make this happen?


    no access-list 1624
    access-list 1624 permit 10.33.224.0 0.0.0.255
    access-list 1624 permit 172.22.20.0 0.0.0.15

    Chris.
    Chris, Aug 1, 2007
    #2
    1. Advertising

  3. philbo30

    Peter Guest

    Greetings,

    > access-list 1624 permit 10.33.224.0 0.0.0.255
    > access-list 1624 permit 172.22.20.0 0.0.0.15
    > access-list 1624 permit 10.160.224.0 0.0.0.255


    > I want to remove the last line, line "30" while leaving the rest of
    > the ACL intact.


    Because this is an un-named ACL, you need to REMOVE the ACL and
    re-apply it LESS the lines you want removed.

    While the ACL is removed, be aware that the interace to which it is
    applied will not pass ANY traffic until the ACL is rebuilt, unless you
    remove the access-group command from it.

    Cheers...................pk.


    --
    Peter from Auckland.
    Peter, Aug 2, 2007
    #3
  4. In article <nnw7edSM2ZOu-pn2-llunSzUzNSFY@otis>,
    Peter <> wrote:

    >> access-list 1624 permit 10.33.224.0 0.0.0.255
    >> access-list 1624 permit 172.22.20.0 0.0.0.15
    >> access-list 1624 permit 10.160.224.0 0.0.0.255


    >> I want to remove the last line, line "30" while leaving the rest of
    >> the ACL intact.


    >Because this is an un-named ACL, you need to REMOVE the ACL and
    >re-apply it LESS the lines you want removed.


    It's been several years since I did IOS work, so the below is
    going by what I remember of what I read in passing:

    The show access-list 1624 output had line numbers. That suggests
    to me that the OP might be using one of the versions of IOS new
    enough to support editting by line number, in a manner very similar
    to editting ACLs by line number in the Cisco PIX 6.3; with PIX, the
    syntax would be

    no access-list 1624 line 30


    >While the ACL is removed, be aware that the interace to which it is
    >applied will not pass ANY traffic until the ACL is rebuilt, unless you
    >remove the access-group command from it.


    Going by memory again, I believe that is incorrect. In IOS,
    an access-list that exists at all (even with just a remark)
    has an implicit deny at the end of it, but my experience is
    that an access-list which is referenced but which does not exist at all
    is treated as permitting everything.

    I recall tracking down a networking problem at our ISP that revolved
    around this exact issue, when they slightly misconfigured the
    Natchi Worm Mitigation.
    http://groups.google.ca/group/comp.dcom.sys.cisco/msg/774aba946785d415

    (The worm mitigation involved a policy map that dropped packets that
    were a particular length and which matched an access-list, with the
    access-list set to permit icmp -- with a permit in this context meaning
    that it was permitted to apply the policy map action (of denying the
    packet.) When our ISP lost the contents of the access-list, the
    non-existant access list matched all kinds of packets, so 92 byte tcp
    packets were dropped, 92 byte udp, and so on. If the default behaviour
    for a missing ACL was to treat it as a deny all, then the application
    of the policy map would have been denied for all kinds of packets,
    which in this case would have meant that no packets would have been
    dropped at all by the policy.)
    Walter Roberson, Aug 2, 2007
    #4
  5. philbo30

    Sam Wilson Guest

    In article <comlwx1r5c5v$.1f8tczdrubtba$>,
    Chris <> wrote:

    > On Wed, 01 Aug 2007 13:28:06 -0700, philbo30 wrote:
    >
    > > I have the following access list, configured in the router as:
    > >
    > > access-list 1624 permit 10.33.224.0 0.0.0.255
    > > access-list 1624 permit 172.22.20.0 0.0.0.15
    > > access-list 1624 permit 10.160.224.0 0.0.0.255
    > >
    > > The "show access-list 1624" command shows:
    > > Standard IP access list 1624
    > > 10 permit 10.33.224.0, wildcard bits 0.0.0.255 (11389 matches)
    > > 20 permit 172.22.20.0, wildcard bits 0.0.0.15
    > > 30 permit 10.160.224.0, wildcard bits 0.0.0.255 (2515 matches)
    > >
    > > I want to remove the last line, line "30" while leaving the rest of
    > > the ACL intact.
    > >
    > > What is the command to make this happen?

    >
    > no access-list 1624
    > access-list 1624 permit 10.33.224.0 0.0.0.255
    > access-list 1624 permit 172.22.20.0 0.0.0.15


    As another poster pointed out, there will be a hiatus where the
    interface will pass no traffic while the ACL is rebuilt, i.e as soon as
    you type "no access-list 1624". If you're connected to the router via
    that interface that can be embarrassing. The way to get around this is
    like this (assuming the ACL is applied inbound on interface Fa0/1 - make
    the necessary changes):

    no access-list 1625
    ! or use any other number that's available for scratch space
    ! now make 1625 a duplicate of your new 1624
    access-list 1625 permit 10.33.224.0 0.0.0.255
    access-list 1625 permit 172.22.20.0 0.0.0.15

    ! replace 1624 on the interface
    interface fa0/1
    access-group 1625 in

    ! rebuild 1624
    no access-list 1624
    access-list 1624 permit 10.33.224.0 0.0.0.255
    access-list 1624 permit 172.22.20.0 0.0.0.15

    ! apply updated 1624 and get rid of 1625
    interface fa0/1
    access-group 1624 in

    no access-list 1625



    Sam
    Sam Wilson, Aug 2, 2007
    #5
  6. On Wed, 01 Aug 2007 13:28:06 -0700, philbo30 wrote:

    > I have the following access list, configured in the router as:
    >
    > access-list 1624 permit 10.33.224.0 0.0.0.255
    > access-list 1624 permit 172.22.20.0 0.0.0.15
    > access-list 1624 permit 10.160.224.0 0.0.0.255
    >
    > The "show access-list 1624" command shows:
    > Standard IP access list 1624
    > 10 permit 10.33.224.0, wildcard bits 0.0.0.255 (11389 matches)
    > 20 permit 172.22.20.0, wildcard bits 0.0.0.15
    > 30 permit 10.160.224.0, wildcard bits 0.0.0.255 (2515 matches)
    >
    > I want to remove the last line, line "30" while leaving the rest of
    > the ACL intact.
    >
    > What is the command to make this happen?


    Like this:

    router#sh access-lists
    Standard IP access list 1624
    10 permit 10.33.224.0, wildcard bits 0.0.0.255
    20 permit 172.22.20.0, wildcard bits 0.0.0.15
    30 permit 10.160.224.0, wildcard bits 0.0.0.255
    router#
    router#configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    router(config)#ip access-list standard 1624
    router(config-std-nacl)#no 30
    router(config-std-nacl)#end
    router#
    Aug 2 22:14:04.789 AEST: %SYS-5-CONFIG_I: Configured from console
    router#sh access-lists
    Standard IP access list 1624
    10 permit 10.33.224.0, wildcard bits 0.0.0.255
    20 permit 172.22.20.0, wildcard bits 0.0.0.15
    router#

    --
    Rgds,
    Martin
    Martin Gallagher, Aug 2, 2007
    #6
  7. philbo30

    Guest

    On 2 Aug, 12:10, Martin Gallagher <> wrote:
    > On Wed, 01 Aug 2007 13:28:06 -0700, philbo30 wrote:
    > > I have the following access list, configured in the router as:

    >
    > > access-list 1624 permit 10.33.224.0 0.0.0.255
    > > access-list 1624 permit 172.22.20.0 0.0.0.15
    > > access-list 1624 permit 10.160.224.0 0.0.0.255

    >
    > > The "show access-list 1624" command shows:
    > > Standard IP access list 1624
    > > 10 permit 10.33.224.0, wildcard bits 0.0.0.255 (11389 matches)
    > > 20 permit 172.22.20.0, wildcard bits 0.0.0.15
    > > 30 permit 10.160.224.0, wildcard bits 0.0.0.255 (2515 matches)

    >
    > > I want to remove the last line, line "30" while leaving the rest of
    > > the ACL intact.

    >
    > > What is the command to make this happen?

    >
    > Like this:
    >
    > router#sh access-lists
    > Standard IP access list 1624
    > 10 permit 10.33.224.0, wildcard bits 0.0.0.255
    > 20 permit 172.22.20.0, wildcard bits 0.0.0.15
    > 30 permit 10.160.224.0, wildcard bits 0.0.0.255
    > router#
    > router#configure terminal
    > Enter configuration commands, one per line. End with CNTL/Z.
    > router(config)#ip access-list standard 1624
    > router(config-std-nacl)#no 30
    > router(config-std-nacl)#end
    > router#
    > Aug 2 22:14:04.789 AEST: %SYS-5-CONFIG_I: Configured from console
    > router#sh access-lists
    > Standard IP access list 1624
    > 10 permit 10.33.224.0, wildcard bits 0.0.0.255
    > 20 permit 172.22.20.0, wildcard bits 0.0.0.15
    > router#
    >


    Just be aware that the "new" sequence number based ACL editor
    does not understand "remark" entries. No idea what it does
    with them, if you work it out let us know.
    , Aug 2, 2007
    #7
  8. philbo30

    Scott Perry Guest

    Not true - you can apply an empty access-list to an interface and it will
    have no affect on network traffic.

    Once the first line of the access-list has been entered, the implicit deny
    takes effect at the end of the access-list, but only when there are
    access-list entries. If an access-list is emptied when applied to an
    interface, it can function without affecting network traffic until it has
    entries again. There are possibly some exceptions to this exception to the
    rule.

    The recommendation previously posted of removing the access-group from the
    interface before modifying is a very good idea. Your changes could be
    entered in a such a sequence that would disconnect you before completing the
    change.

    Proof of this was demonstrated and then included below.

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________

    R1#show run int fast 0/1
    Building configuration...

    Current configuration : 180 bytes
    !
    interface FastEthernet0/1
    description *** to R2 FastEthernet0/0 ***
    bandwidth 10000
    ip address 10.255.1.1 255.255.255.252
    ip access-group 111 in
    ip access-group 111 out
    speed 10
    half-duplex
    end

    R1#ping 192.168.3.254 source 192.168.1.254

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.3.254, timeout is 2 seconds:
    Packet sent with a source address of 192.168.1.254
    .....
    Success rate is 0 percent (0/5)
    R1#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    R1(config)#no access-list 111
    R1(config)#end
    R1#ping 192.168.3.254 source 192.168.1.254
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.3.254, timeout is 2 seconds:
    Packet sent with a source address of 192.168.1.254
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 136/142/144 ms
    R1#

    ________________________________________
    Trivia: A batch of commands in a text file can be copied into the
    running-config via TFTP and the device will not process any of the commands
    until the entire file has been transfered. This is an effective method, if
    correctly written, of implementing commands which would temporarily disable
    the in-band management during a change.
    Scott Perry, Aug 6, 2007
    #8
  9. In article <46b7459c$0$21256$>,
    Scott Perry <scottperry@aciscocompany> wrote:
    >The recommendation previously posted of removing the access-group from the
    >interface before modifying is a very good idea. Your changes could be
    >entered in a such a sequence that would disconnect you before completing the
    >change.


    Sam's recommendation was to create a new ACL and access-group
    that into control of the interface with the new contents (and he
    then did some cleanup work on the old ACL.) That procedure works
    fine and prevents any interruption of service (provided the new
    ACL doesn't have any bugs in it!).

    If you just remove an access-group from an interface before modifying
    the access-list, you temporarily allow too much access to the interface,
    which is not a good thing. Especially if someone is DoS'ing you
    at the time.
    Walter Roberson, Aug 6, 2007
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. r24481

    ACL Management Question

    r24481, Nov 6, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,726
    Walter Roberson
    Nov 6, 2003
  2. mg

    Simple acl question?

    mg, Dec 3, 2003, in forum: Cisco
    Replies:
    5
    Views:
    499
    Walter Roberson
    Dec 6, 2003
  3. Shad T
    Replies:
    0
    Views:
    577
    Shad T
    Jun 29, 2004
  4. Vimokh
    Replies:
    3
    Views:
    5,605
    Vimokh
    Sep 6, 2006
  5. GJ
    Replies:
    1
    Views:
    631
    Meat Plow
    May 23, 2007
Loading...

Share This Page