1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Editing Access Lists

Discussion in 'General Cisco Certifications' started by motorleague, May 6, 2007.

  1. motorleague

    motorleague Bit Poster

    22
    0
    0
    Once an access list has been created, you can only append new rules to it, not add them in the middle so to speak. I don't have the means to test this right now, and it's not been mentioned in the utorials so far, is whether it would be possible to edit an existing access list by copying out the config via tftp, editing the access list manually, then copying it back and implementing it?

    Presumably this is feasible but maybe not correct according to the exam criteria.

    Could anybody please clarify this for me?

    Hope you're all doing more interesting things with your bank holiday that I am incidently :)

    Cheers.


    Alex.
     
    Certifications: MCSA, A+, Network+
    WIP: CCNA, MCSE
  2. motorleague

    motorleague Bit Poster

    22
    0
    0
    Sorry, I got ahead of myself there.

    For anybody else wondering you can simply view the access list using "sh runing-config" or similar, copy it and edit it using notepad, issue a " no access-list x" command to deletethe old list, then paste the updated rules back in from notepad at the command prompt, to quickly recreate the list.

    Apologies.

    Alex.
     
    Certifications: MCSA, A+, Network+
    WIP: CCNA, MCSE
  3. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Yep. You can do it that way if you want.

    But my advice is to avoid doing that too often while you're still studying for the exam. If you use notepad too much, then you'll tend not to memorise the commands. And then, if an ACL simulation question shows up in your exam, it might take you too long to figure out what you need to do.

    As for your previous question, the only type of ACL you can edit is a named ACL and you can only delete an entry from it, not modify an existing entry or insert a new entry into the middle of the ACL.

    If you need to change anything in a standard or extended ACL then then the only way is to delete the whole thing and do it afresh.
     
    Certifications: CCNA
    WIP: CCNP
  4. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    I wish.

    I should be out there getting p!ssed and having a good time. Instead I'm stuck here trying to make sense of this damned etherchannel thingy.

    *sigh*
     
    Certifications: CCNA
    WIP: CCNP
  5. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    Etherchannel...I just played around with that last night on two 2950s...I didn't understand the different modes, but I didn't research them as of yet either, but I got the channel group up and working fine. Basically logically bonding 2 ethernet circuits into one virtual pipe so spanning tree doesn't block one of the ports.

    Yeah..I just looked over what the LACP or the PAgP protocols. Is it my imagination or could this have been done without the hashing? Perhaps load balance on a per packet basis? Anyways...back to the ol'bit bucket...er I mean books.
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall
  6. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Hi NetEye.

    I configured both PAgP and LACP on two 3550s. PAgP went okay, full connectivity between both switches, spanning-tree running on all instances.

    3550/1#sh spanning-tree summary
    Switch is in pvst mode
    Root bridge for: none
    EtherChannel misconfig guard is enabled
    Extended system ID is enabled
    Portfast Default is disabled
    PortFast BPDU Guard Default is disabled
    Portfast BPDU Filter Default is disabled
    Loopguard Default is disabled
    UplinkFast is disabled
    BackboneFast is disabled
    Pathcost method used is short

    Name Blocking Listening Learning Forwarding STP Active
    ---------------------- -------- --------- -------- ---------- ----------
    VLAN0001 0 0 0 2 2
    VLAN0002 0 0 0 1 1
    VLAN0003 0 0 0 1 1
    VLAN0004 0 0 0 1 1
    VLAN0005 0 0 0 1 1
    VLAN0006 0 0 0 1 1
    VLAN0007 0 0 0 1 1
    VLAN0008 0 0 0 1 1
    VLAN0009 0 0 0 1 1
    VLAN0010 0 0 0 1 1
    VLAN0011 0 0 0 1 1
    VLAN0012 0 0 0 1 1
    ---------------------- -------- --------- -------- ---------- ----------
    12 vlans 0 0 0 13 13


    It was when I configured LACP that I came slightly unstuck. The twelve vlans I'd configured earlier all went down. Spanning-tree stopped running except for the single instance on the native vlan. I could still ping through okay, but I just couldn't figure out why spanning-tree wasn't working properly anymore.

    3550/1#ping 10.1.1.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

    3550/1#sh spanning-tree summary
    Switch is in pvst mode
    Root bridge for: VLAN0001
    EtherChannel misconfig guard is enabled
    Extended system ID is enabled
    Portfast Default is disabled
    PortFast BPDU Guard Default is disabled
    Portfast BPDU Filter Default is disabled
    Loopguard Default is disabled
    UplinkFast is disabled
    BackboneFast is disabled
    Pathcost method used is short

    Name Blocking Listening Learning Forwarding STP Active
    ---------------------- -------- --------- -------- ---------- ----------
    VLAN0001 0 0 0 1 1
    ---------------------- -------- --------- -------- ---------- ----------
    1 vlan 0 0 0 1 1



    Well, it early days yet. Plenty of figuring out still to do.
     
    Certifications: CCNA
    WIP: CCNP
  7. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Regarding editing access lists:

    Named and extended access-lists can be edited from the command line. You can add or remove lines anywhere in the acl. In effect, you can also change the order of lines by adding and deleting lines.

    In short, if the access-list is numbered 1-99 you can only add lines to the end of the list. To make other changes you need to delete the acl and re-create it.
    If the access-l list is extended (numbered 100-199 or 2000-2699) or named then you can add or remove lines without deleting the acl. For example, access-list 90 would need to be deleted and re-created to remove a line, while access-list 100 you can add or remove lines without deleting the acl. Very handy, especially for acl's used for things like ip inspection (IOS firewall) as having to remove the acl to edit it can be a huge bother. Editing the acl while it is in use is much better.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  8. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    Didn't know you can remove lines from an extended ACL. Must try it out some time.

    Cheers Spice.
     
    Certifications: CCNA
    WIP: CCNP
  9. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Yup. To add/remove a line use line numbers. For example, if you have access-list 160 on a router that is 15 lines long and you want to remove line 8 and replace it with something else.If you show the access-list you will see the line numbers, typically incrementing 10 per line. Just edit the access-list to remove the line:

    (config)#ip access-l ext 160
    (config-ext-nacl)#no 80 <-- removes line 80
    (config-ext-nacl)#85 per ip host 2.2.2.2 host 3.3.3.3 <-- adds line 85

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  10. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    Gonna have to play with this! Thanks!
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall
  11. NetEyeBall

    NetEyeBall Kilobyte Poster

    279
    10
    45
    I just tried this with a simple 3 line extended list.
    Sure enough I could delete Line 20 and add line 20.

    Pretty cool!!!!!
     
    Certifications: CCNA, A+, N+, MCSE 4.0, CCA
    WIP: CCDA, CCNP, Cisco Firewall

Share This Page

Loading...