Thursday, June 25, 2015

Cisco Router/Switch: Modifying An ACL By Line Number

I usually tend to clear an ACL and just re-paste it back in.  Just my style, I guess.  But, there are times when I need to keep it in place and just add in a line.  For example, I have one customer that has a bug in a L3 switch.  When you clear the ACL and paste back in, it wigs the switch out and you have to reboot it.  Cisco says its a bug.  So, I either have to take the route map off the vlan, modify the ACL, then put the route map back on the vlan interface.  OR, I can just add in by line number.  See below, as this is how I do this.

1841(config-ext-nacl)#do show access-list 105
Extended IP access list 105
    10 permit ip host 192.168.1.27 any (101160908 matches)
    20 permit ip host 192.168.1.31 any (83896750 matches)
    30 permit ip host 192.168.1.26 any (204856 matches)
    40 permit ip host 192.168.1.25 any (824667 matches)
    50 permit ip any host 192.168.3.1 (1516 matches)
    60 permit tcp host 192.168.1.29 eq 60601 any
    70 permit tcp host 192.168.1.29 eq 2031 any (1313543 matches)
    80 permit tcp host 192.168.1.30 eq 60601 any
    90 permit ip any 10.10.1.0 0.0.0.255 (896443 matches)
    100 deny ip 10.1.0.0 0.0.255.255 any (239919692 matches)
    110 deny ip 192.168.0.0 0.0.255.255 any (1681992666 matches)
    120 deny ip any any (1272384 matches)

1841(config-ext-nacl)#95 deny ip host 192.168.1.242 host 192.168.3.3

1841(config-ext-nacl)#do sh access-l 105
Extended IP access list 105
    10 permit ip host 192.168.1.27 any (101165325 matches)
    20 permit ip host 192.168.1.31 any (83896763 matches)
    30 permit ip host 192.168.1.26 any (204856 matches)
    40 permit ip host 192.168.1.25 any (824671 matches)
    50 permit ip any host 192.168.3.1 (1516 matches)
    60 permit tcp host 192.168.1.29 eq 60601 any
    70 permit tcp host 192.168.1.29 eq 2031 any (1313543 matches)
    80 permit tcp host 192.168.1.30 eq 60601 any
    90 permit ip any 10.10.1.0 0.0.0.255 (896443 matches)
    95 deny ip host 192.168.1.42 host 192.168.3.3
    100 deny ip 10.1.0.0 0.0.255.255 any (239925676 matches)
    110 deny ip 192.168.0.0 0.0.255.255 any (1682023189 matches)
    120 deny ip any any (1272385 matches)
1841(config-ext-nacl)#
Posted by

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)