Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4312
Views
5
Helpful
4
Replies

Cannot delete a line from an Access-List

Go to solution
Nathan Hawkins
Level 1
Level 1

‎02-20-2013 10:24 AM - edited ‎03-11-2019 06:03 PM

Hello All,

I'm trying to eliminate some hitcount 0 ACLs, and I'm getting the error "Specified access-list does not exist" when I try. Here's the ACL I'm working with:

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any (hitcnt=0) 0xa75c6fc3

  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06

  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d

  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265

access-list acl_DMZ line 2 extended permit icmp any any object-group DefaultICMP (hitcnt=0) 0x35224259

  access-list acl_DMZ line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x5295f227

  access-list acl_DMZ line 2 extended permit icmp any any unreachable (hitcnt=0) 0x05778545

  access-list acl_DMZ line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x84e68958 access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any (hitcnt=0) 0xa75c6fc3
  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06
  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d
  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265
access-list acl_DMZ line 2 extended permit icmp any any object-group DefaultICMP (hitcnt=0) 0x35224259
  access-list acl_DMZ line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x5295f227
  access-list acl_DMZ line 2 extended permit icmp any any unreachable (hitcnt=0) 0x05778545
  access-list acl_DMZ line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x84e68958

As a test I'm trying to delete the 2nd line down "access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any" by issuing the command "no access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any". When I try to do so I get the error "Specified access-list does not exist"...

So what do I do to remove that line?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Nathan Hawkins

‎02-20-2013 11:10 AM

Hi,

I think there is no really clear and easy way to remove the rule without also adding something.

When we consider that we have this configuration line

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any

And that in opened format its shown like this (also noticiable by all of the lines having the same line number)

  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06

  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d

  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265

There is no other way of removing the single line from the above other than removing the network-object from under the "object-group". Naturally this might not be possible if the object is used somewhere else also?

The solution in this case would therefore be that you add ACL rules for the above 2 rules you want to still keep (naturally you can add the "line x" to the below configuration)

  access-list acl_DMZ permit ip 192.168.1.0 255.255.255.0 any

  access-list acl_DMZ permit ip 192.168.254.0 255.255.255.0 any

And finally remove the configuration line

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any

After this you would be left with the above configured 2 lines (without using the "object-group") and the line you wanted to remove would not be part of the rules anymore.

I dont think there is any other way of doing this since we are talking about an ACL ACE (Access Rule Entry) that uses an "object-group". Naturally for (hitcount=0) rules that dont use "object-group" you can just delete with the "no" parameter in front.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-20-2013 10:36 AM

Hi,

The actual configuration lines are

access-list acl_DMZ extended permit ip object-group DM_INLINE_NETWORK_3 any

access-list acl_DMZ extended permit icmp any any object-group DefaultICMP

With the command "show access-list acl_DMZ" you get the opened format of the ACL which shows all the addresses/networks under the "object-groups"

So to only remove the line

access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any

You would actually have to do this

object-group networkDM_INLINE_NETWORK_3

  no network-object 10.11.12.0 255.255.255.0

Then the single line would be removed. Notice though that if the above mentioned object-group is used in some other ACL rule too then the above network would be removed from there too.

- Jouni

Go to solution
Nathan Hawkins
Level 1
Level 1
In response to Jouni Forss

‎02-20-2013 10:59 AM

Well, that doesnt address what I'm trying to do. I'm actually trying to (on a larger scale) remove several hitcount 0 ACLs, and I cannot remove an object from an object group without affecting access on other rules/ACLs. So given the below ACL:

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any (hitcnt=0) 0xa75c6fc3

  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06

  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d

  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265

access-list acl_DMZ line 2 extended permit icmp any any object-group DefaultICMP (hitcnt=0) 0x35224259

  access-list acl_DMZ line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x5295f227

  access-list acl_DMZ line 2 extended permit icmp any any unreachable (hitcnt=0) 0x05778545

  access-list acl_DMZ line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x84e68958 access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any (hitcnt=0) 0xa75c6fc3
  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06
  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d
  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265
access-list acl_DMZ line 2 extended permit icmp any any object-group DefaultICMP (hitcnt=0) 0x35224259
  access-list acl_DMZ line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x5295f227
  access-list acl_DMZ line 2 extended permit icmp any any unreachable (hitcnt=0) 0x05778545
  access-list acl_DMZ line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x84e68958

How do I remove select lines from an ACL?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Nathan Hawkins

‎02-20-2013 11:10 AM

Hi,

I think there is no really clear and easy way to remove the rule without also adding something.

When we consider that we have this configuration line

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any

And that in opened format its shown like this (also noticiable by all of the lines having the same line number)

  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06

  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d

  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265

There is no other way of removing the single line from the above other than removing the network-object from under the "object-group". Naturally this might not be possible if the object is used somewhere else also?

The solution in this case would therefore be that you add ACL rules for the above 2 rules you want to still keep (naturally you can add the "line x" to the below configuration)

  access-list acl_DMZ permit ip 192.168.1.0 255.255.255.0 any

  access-list acl_DMZ permit ip 192.168.254.0 255.255.255.0 any

And finally remove the configuration line

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any

After this you would be left with the above configured 2 lines (without using the "object-group") and the line you wanted to remove would not be part of the rules anymore.

I dont think there is any other way of doing this since we are talking about an ACL ACE (Access Rule Entry) that uses an "object-group". Naturally for (hitcount=0) rules that dont use "object-group" you can just delete with the "no" parameter in front.

- Jouni

0 Helpful

Go to solution
Nathan Hawkins
Level 1
Level 1
In response to Jouni Forss

‎02-20-2013 12:03 PM

The above is a test access-list. What I'm really working with is something much larger where there are a few thousand rules with hundreds of thousands of ACE's. What I think I need to do is create ACLs that are the ACEs that are not hitcount 0 and then delete the rule with the hitcount 0 ACE's.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card