12-29-2019 01:05 PM
Hi Experts,
I was preparing for my ICND1 exam and was doing test exams from PearsonVue.
In the question, it was creating an extended numbered access list and wanted to remove a line. Out of two answers, I do not understand the last one i..e."Use the no 30 command in ACL 101 configuration mode"
If I am right, you can only go into ACL configuration in an named list. Is that correct? Or how is this answer correct?
Thanks in advance.
12-29-2019 01:35 PM
Hello,
you actually can delete sequence numbers from numbered access lists. Have a look at the syntax below:
Router(config)#ip access-list extended 101
Router(config-ext-nacl)#10 permit tcp
Router(config-ext-nacl)#10 permit tcp any any eq 22
Router(config-ext-nacl)#20 permit tcp any any eq 23
Router(config-ext-nacl)#30 permit tcp any any eq 80
Router(config-ext-nacl)#40 permit tcp any any eq 443
Router(config-ext-nacl)#50 permit tcp any any eq 500
Router(config-ext-nacl)#end
results in:
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 500
Router(config)#ip access-list extended 101
Router(config-ext-nacl)#no 30
results in;
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 500
01-03-2020 09:36 AM
Thanks @Georg Pauwen.
I will try this out. Thanks for your help.
01-03-2020 11:55 AM
Hello
@ChinmayKulkarni wrote:
Hi Experts,
I was preparing for my ICND1 exam and was doing test exams from PearsonVue.
In the question, it was creating an extended numbered access list and wanted to remove a line. Out of two answers, I do not understand the last one i..e."Use the no 30 command in ACL 101 configuration mode"
If I am right, you can only go into ACL configuration in an named list. Is that correct? Or how is this answer correct?
Thanks in advance.
No your not correct, you can amend a standard and extended acl so this means either they can be named or numbered acls.
So the two correct answers in the above question would be -
3 & 4
03-22-2023 08:29 AM - edited 03-22-2023 08:31 AM
To edit the named or numbered access control list (ACL):
To add record mid-list, If you are trying to insert a new record on a list that has 10, 20, 30, 40 and you want it between 30 and 40 go to >> config, ip access-list ACLNAME. To add a record between 30 and 40:
35 permit ip 10.10.72.0/24 any
This will insert a record with sequence number 35, midway between 30 and 40.
To remove a record:
find the sequence number and then>> config, ip access-list ACLNAME
To remove line number 40 use:
no 40
This will remove the record with sequence number 40
Either of these methods will leave odd numbering sequences so to clean up, you can resequence the list:
(config-acl)# resequence ip access-list ACLNAME 10 10
And it will process the numbering starting from 10 with increments of 10.
I hope that helps.
Bryan McGann
03-22-2023 09:12 AM
I recall (???) initially ACL editing, using ACE statement numbering, was limited to just named ACLs, but not too long after that Cisco extended the feature to non-named ACLs too.
BTW, another feature I recall (?) is you can also delete a named ACL ACE, while in ACL editing mode, by "noing" the whole ACE (i.e. without using a sequence number).
03-22-2023 03:01 PM
Brought up a 4331 in PT, and found ACL editor allows deletion, by just entering full ACE regardless whether ACL is named or not.
I.e.:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended 100
Router(config-ext-nacl)#permit ip host 1.1.1.1 any
Router(config-ext-nacl)#permit ip host 1.1.1.2 any
Router(config-ext-nacl)#permit ip host 1.1.1.3 any
Router(config-ext-nacl)#permit ip host 1.1.1.4 any
Router(config-ext-nacl)#permit ip host 1.1.1.5 any
Router(config-ext-nacl)#do sho run
Building configuration...
.
!
access-list 100 permit ip host 1.1.1.1 any
access-list 100 permit ip host 1.1.1.2 any
access-list 100 permit ip host 1.1.1.3 any
access-list 100 permit ip host 1.1.1.4 any
access-list 100 permit ip host 1.1.1.5 any
!
.
end
Router(config-ext-nacl)#no permit ip host 1.1.1.3 any
Router(config-ext-nacl)#do sh run
Building configuration...
.
!
access-list 100 permit ip host 1.1.1.1 any
access-list 100 permit ip host 1.1.1.2 any
access-list 100 permit ip host 1.1.1.4 any
access-list 100 permit ip host 1.1.1.5 any
!
.
end
Router(config-ext-nacl)#ip access-list extended test
Router(config-ext-nacl)#permit ip host 1.1.1.1 any
Router(config-ext-nacl)#permit ip host 1.1.1.2 any
Router(config-ext-nacl)#permit ip host 1.1.1.3 any
Router(config-ext-nacl)#permit ip host 1.1.1.4 any
Router(config-ext-nacl)#permit ip host 1.1.1.5 any
Router(config-ext-nacl)#do sh run
Building configuration...
.
!
ip access-list extended test
permit ip host 1.1.1.1 any
permit ip host 1.1.1.2 any
permit ip host 1.1.1.3 any
permit ip host 1.1.1.4 any
permit ip host 1.1.1.5 any
!
.
end
Router(config-ext-nacl)#no permit ip host 1.1.1.3 any
Router(config-ext-nacl)#do sh run
Building configuration...
.
!
ip access-list extended test
permit ip host 1.1.1.1 any
permit ip host 1.1.1.2 any
permit ip host 1.1.1.4 any
permit ip host 1.1.1.5 any
!
.
end
Router(config-ext-nacl)#do sho access
Extended IP access list 100
10 permit ip host 1.1.1.1 any
20 permit ip host 1.1.1.2 any
40 permit ip host 1.1.1.4 any
50 permit ip host 1.1.1.5 any
Extended IP access list test
10 permit ip host 1.1.1.1 any
20 permit ip host 1.1.1.2 any
40 permit ip host 1.1.1.4 any
50 permit ip host 1.1.1.5 any
03-22-2023 12:05 PM
Hello
You can edit extended or standard access-lists named or not without deleting the entire access-list and re-creating it
sh access-lists
Standard IP access list 1
10 permit 1.1.1.1
20 permit 1.1.1.2
30 permit 1.1.1.3
40 permit 1.1.1.4
50 permit 1.1.1.5
Extended IP access list 100
10 permit ip host 1.1.1.1 any
20 permit ip host 1.1.1.2 any
30 permit ip host 1.1.1.3 any
40 permit ip host 1.1.1.4 any
50 permit ip host 1.1.1.5 any
ip access-list standard 1
no 20
20 permit 1.1.1.22
ip access-list extended 100
no 20
20 permit ip host 1.1.1.22 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide