Editing Access Lists

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Once an access list has been created, you can only append new rules to it, not add them in the middle so to speak. I don't have the means to test this right now, and it's not been mentioned in the utorials so far, is whether it would be possible to edit an existing access list by copying out the config via tftp, editing the access list manually, then copying it back and implementing it?

Presumably this is feasible but maybe not correct according to the exam criteria.

Could anybody please clarify this for me?

Hope you're all doing more interesting things with your bank holiday that I am incidently

Cheers.


Alex.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Sorry, I got ahead of myself there.

For anybody else wondering you can simply view the access list using "sh runing-config" or similar, copy it and edit it using notepad, issue a " no access-list x" command to deletethe old list, then paste the updated rules back in from notepad at the command prompt, to quickly recreate the list.

Apologies.

Alex.

 

Yep. You can do it that way if you want.

But my advice is to avoid doing that too often while you're still studying for the exam. If you use notepad too much, then you'll tend not to memorise the commands. And then, if an ACL simulation question shows up in your exam, it might take you too long to figure out what you need to do.

As for your previous question, the only type of ACL you can edit is a named ACL and you can only delete an entry from it, not modify an existing entry or insert a new entry into the middle of the ACL.

If you need to change anything in a standard or extended ACL then then the only way is to delete the whole thing and do it afresh.

 

I wish.

I should be out there getting p!ssed and having a good time. Instead I'm stuck here trying to make sense of this damned etherchannel thingy.

*sigh*

 

Etherchannel...I just played around with that last night on two 2950s...I didn't understand the different modes, but I didn't research them as of yet either, but I got the channel group up and working fine. Basically logically bonding 2 ethernet circuits into one virtual pipe so spanning tree doesn't block one of the ports.

Yeah..I just looked over what the LACP or the PAgP protocols. Is it my imagination or could this have been done without the hashing? Perhaps load balance on a per packet basis? Anyways...back to the ol'bit bucket...er I mean books.

 

Hi NetEye.

I configured both PAgP and LACP on two 3550s. PAgP went okay, full connectivity between both switches, spanning-tree running on all instances.

3550/1#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 2 2
VLAN0002 0 0 0 1 1
VLAN0003 0 0 0 1 1
VLAN0004 0 0 0 1 1
VLAN0005 0 0 0 1 1
VLAN0006 0 0 0 1 1
VLAN0007 0 0 0 1 1
VLAN0008 0 0 0 1 1
VLAN0009 0 0 0 1 1
VLAN0010 0 0 0 1 1
VLAN0011 0 0 0 1 1
VLAN0012 0 0 0 1 1
---------------------- -------- --------- -------- ---------- ----------
12 vlans 0 0 0 13 13

It was when I configured LACP that I came slightly unstuck. The twelve vlans I'd configured earlier all went down. Spanning-tree stopped running except for the single instance on the native vlan. I could still ping through okay, but I just couldn't figure out why spanning-tree wasn't working properly anymore.

3550/1#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

3550/1#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0001
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 1 1
---------------------- -------- --------- -------- ---------- ----------
1 vlan 0 0 0 1 1


Well, it early days yet. Plenty of figuring out still to do.

 

Regarding editing access lists:

Named and extended access-lists can be edited from the command line. You can add or remove lines anywhere in the acl. In effect, you can also change the order of lines by adding and deleting lines.

In short, if the access-list is numbered 1-99 you can only add lines to the end of the list. To make other changes you need to delete the acl and re-create it.
If the access-l list is extended (numbered 100-199 or 2000-2699) or named then you can add or remove lines without deleting the acl. For example, access-list 90 would need to be deleted and re-created to remove a line, while access-list 100 you can add or remove lines without deleting the acl. Very handy, especially for acl's used for things like ip inspection (IOS firewall) as having to remove the acl to edit it can be a huge bother. Editing the acl while it is in use is much better.

Spice_Weasel

 

Didn't know you can remove lines from an extended ACL. Must try it out some time.

Cheers Spice.

 

Yup. To add/remove a line use line numbers. For example, if you have access-list 160 on a router that is 15 lines long and you want to remove line 8 and replace it with something else.If you show the access-list you will see the line numbers, typically incrementing 10 per line. Just edit the access-list to remove the line:

(config)#ip access-l ext 160
(config-ext-nacl)#no 80 <-- removes line 80
(config-ext-nacl)#85 per ip host 2.2.2.2 host 3.3.3.3 <-- adds line 85

Spice_Weasel

 

Gonna have to play with this! Thanks!

 

I just tried this with a simple 3 line extended list.
Sure enough I could delete Line 20 and add line 20.

Pretty cool!!!!!