GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Access List [7:79345] posted 11/18/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


I assumed the same thing and was surprised by a co-worker one day.  The
ability to remove individual lines from a numbered access-list really comes
in handy when you are using access-class statements on your vtys.  There are
several places in IOS that will only allow numbered access-lists
(unfortunately).

I'm not sure when/if it ever changed.  I know the following sequence works
in the 12.0S train (and 12.0(7)T3 that is running on our lab r2).

r2#show runn | include access-list 112
access-list 112 permit icmp host 10.5.5.31 any echo-reply
access-list 112 deny   icmp host 10.5.5.31 any
access-list 112 permit ip any any
r2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r2(config)#ip access-list extended 112
r2(config-ext-nacl)#no permit icmp host 10.5.5.31 any echo-reply
r2(config-ext-nacl)#end
r2#show runn | include access-list 112
access-list 112 deny   icmp host 10.5.5.31 any
access-list 112 permit ip any any


Jeff.

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx]
Sent: Monday, November 17, 2003 7:25 PM
To: cisco@xxxxxxxxxxxxxx
Subject: RE: Access List [7:79345]


That's the problem with plain ol' Standard and Extended access-list..
You should look into using "Named" access-list, where you have the option to
remove 1 line statments with the "no" in front of line you want to remove..
Any additional statments are still appended to the bottom of the ACL, so you
cannnot modify the sequence order of it, but you can remove 1 liners..

HTH,
Sal

Bill Wharton wrote:
>
> access-list 112 permit icmp host 10.5.5.31 any echo-reply
> access-list 112 deny icmp host 10.5.5.31 any
> access-list 112 permit ip any any
>
> I apply the access list to an interface.
>
> Now i want to modify one line so i do:
> no access-list 112 permit icmp host 10.5.5.31 any echo-reply
>
>
> But, when i do a 'show access-list 112', the entire access list
> has
> disappeared.. Why is that?
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=79426&t=79345
--------------------------------------------------
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html