cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3947
Views
5
Helpful
4
Replies

Cannot delete a line from an Access-List

Nathan Hawkins
Level 1
Level 1

Hello All,

I'm trying to eliminate some hitcount 0 ACLs, and I'm getting the error "Specified access-list does not exist" when I try. Here's the ACL I'm working with:

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any (hitcnt=0) 0xa75c6fc3

  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06

  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d

  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265

access-list acl_DMZ line 2 extended permit icmp any any object-group DefaultICMP (hitcnt=0) 0x35224259

  access-list acl_DMZ line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x5295f227

  access-list acl_DMZ line 2 extended permit icmp any any unreachable (hitcnt=0) 0x05778545

  access-list acl_DMZ line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x84e68958 access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any (hitcnt=0) 0xa75c6fc3
  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06
  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d
  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265
access-list acl_DMZ line 2 extended permit icmp any any object-group DefaultICMP (hitcnt=0) 0x35224259
  access-list acl_DMZ line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x5295f227
  access-list acl_DMZ line 2 extended permit icmp any any unreachable (hitcnt=0) 0x05778545
  access-list acl_DMZ line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x84e68958

As a test I'm trying to delete the 2nd line down "access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any" by issuing the command "no access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any". When I try to do so I get the error "Specified access-list does not exist"...

So what do I do to remove that line?

1 Accepted Solution

Accepted Solutions

Hi,

I think there is no really clear and easy way to remove the rule without also adding something.

When we consider that we have this configuration line

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any

And that in opened format its shown like this (also noticiable by all of the lines having the same line number)

  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06

  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d

  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265

There is no other way of removing the single line from the above other than removing the network-object from under the "object-group". Naturally this might not be possible if the object is used somewhere else also?

The solution in this case would therefore be that you add ACL rules for the above 2 rules you want to still keep (naturally you can add the "line x" to the below configuration)

  access-list acl_DMZ permit ip 192.168.1.0 255.255.255.0 any

  access-list acl_DMZ permit ip 192.168.254.0 255.255.255.0 any

And finally remove the configuration line

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any

After this you would be left with the above configured 2 lines (without using the "object-group") and the line you wanted to remove would not be part of the rules anymore.

I dont think there is any other way of doing this since we are talking about an ACL ACE (Access Rule Entry) that uses an "object-group". Naturally for (hitcount=0) rules that dont use "object-group" you can just delete with the "no" parameter in front.

- Jouni

View solution in original post

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The actual configuration lines are

access-list acl_DMZ extended permit ip object-group DM_INLINE_NETWORK_3 any

access-list acl_DMZ extended permit icmp any any object-group DefaultICMP

With the command "show access-list acl_DMZ" you get the opened format of the ACL which shows all the addresses/networks under the "object-groups"

So to only remove the line

access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any

You would actually have to do this

object-group networkDM_INLINE_NETWORK_3

  no network-object 10.11.12.0 255.255.255.0

Then the single line would be removed. Notice though that if the above mentioned object-group is used in some other ACL rule too then the above network would be removed from there too.

- Jouni

Well, that doesnt address what I'm trying to do. I'm actually trying to (on a larger scale) remove several hitcount 0 ACLs, and I cannot remove an object from an object group without affecting access on other rules/ACLs. So given the below ACL:

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any (hitcnt=0) 0xa75c6fc3

  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06

  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d

  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265

access-list acl_DMZ line 2 extended permit icmp any any object-group DefaultICMP (hitcnt=0) 0x35224259

  access-list acl_DMZ line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x5295f227

  access-list acl_DMZ line 2 extended permit icmp any any unreachable (hitcnt=0) 0x05778545

  access-list acl_DMZ line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x84e68958 access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any (hitcnt=0) 0xa75c6fc3
  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06
  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d
  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265
access-list acl_DMZ line 2 extended permit icmp any any object-group DefaultICMP (hitcnt=0) 0x35224259
  access-list acl_DMZ line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x5295f227
  access-list acl_DMZ line 2 extended permit icmp any any unreachable (hitcnt=0) 0x05778545
  access-list acl_DMZ line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x84e68958

How do I remove select lines from an ACL?

Hi,

I think there is no really clear and easy way to remove the rule without also adding something.

When we consider that we have this configuration line

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any

And that in opened format its shown like this (also noticiable by all of the lines having the same line number)

  access-list acl_DMZ line 1 extended permit ip 10.11.12.0 255.255.255.0 any (hitcnt=0) 0x78859c06

  access-list acl_DMZ line 1 extended permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0) 0x147dd28d

  access-list acl_DMZ line 1 extended permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0) 0x88d63265

There is no other way of removing the single line from the above other than removing the network-object from under the "object-group". Naturally this might not be possible if the object is used somewhere else also?

The solution in this case would therefore be that you add ACL rules for the above 2 rules you want to still keep (naturally you can add the "line x" to the below configuration)

  access-list acl_DMZ permit ip 192.168.1.0 255.255.255.0 any

  access-list acl_DMZ permit ip 192.168.254.0 255.255.255.0 any

And finally remove the configuration line

access-list acl_DMZ line 1 extended permit ip object-group DM_INLINE_NETWORK_3 any

After this you would be left with the above configured 2 lines (without using the "object-group") and the line you wanted to remove would not be part of the rules anymore.

I dont think there is any other way of doing this since we are talking about an ACL ACE (Access Rule Entry) that uses an "object-group". Naturally for (hitcount=0) rules that dont use "object-group" you can just delete with the "no" parameter in front.

- Jouni

The above is a test access-list. What I'm really working with is something much larger where there are a few thousand rules with hundreds of thousands of ACE's. What I think I need to do is create ACLs that are the ACEs that are not hitcount 0 and then delete the rule with the hitcount 0 ACE's.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: