Unable to add statements to existing access list

vinayak-nayak · ‎10-21-2019

Hi,

I am unable to add two statements to an existing access list. I do understand that the ip's 10.2.22 and 10.2.21 are part of the already allowed subnet 10.0.0.0 but i need to remove statement 40 while adding statement 60 and 70. But if i remove statement 40 first then i will loose mgmt access to the switch. This access list is applied to VTY lines. How to go about this ?

Details are below:

STATEMENTS TO BE ADDED:

60 Permit 10.2.22.151 0.0.0.0

70 Permit 10.2.21.248 0.0.0.0

no 40 permit 10.0.0.0 0.255.255.255

deny ip any any

EXISTING ACCESS LIST:

Standard IP access list MGMT_ACCESS
10 deny 10.3.200.0, wildcard bits 0.0.3.255
20 permit 192.15.14.0, wildcard bits 0.0.1.255 (168 matches)
30 permit 192.15.16.0, wildcard bits 0.0.1.255
40 permit 10.0.0.0, wildcard bits 0.255.255.255 (1456 matches)
50 permit 192.168.100.0, wildcard bits 0.0.0.255

Deepak Kumar · ‎10-21-2019

Hi,

What is your laptop/desktop/MgntPC IP? We can see that currently, your all traffic is hitting to Line number 20 & 40. So it may that your system IP address is also matching underline number 40 where the subnet is 10.0.0.0/8.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Captain HoOmi · ‎10-22-2019

Instead of line 60 and 70, put your new statements between 30 and 40 and then you will not lose management access to the switch:

35 Permit 10.2.22.151 0.0.0.0

36 Permit 10.2.21.248 0.0.0.0

no 40 permit 10.0.0.0 0.255.255.255

deny ip any any ( by default there is a hidden (implicit) deny all at the end of every ACL. So unless you want to use deny any any log command to see what's being denied then there is no need for this extra statement)

** Please rate this post or accept the solution if it helped! :) **