Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2925
Views
0
Helpful
7
Replies

Access List - Removal of a line in an access list in router

ChinmayKulkarni
Level 1
Level 1

‎12-29-2019 01:05 PM

Hi Experts,

 

I was preparing for my ICND1 exam and was doing test exams from PearsonVue. 

In the question, it was creating an extended numbered access list and wanted to remove a line. Out of two answers, I do not understand the last one i..e."Use the no 30 command in ACL 101 configuration mode" 

 

If I am right, you can only go into ACL configuration in an named list. Is that correct? Or how is this answer correct?

 

Thanks in advance.

CCENTAskQuestion.PNG

Labels:
0 Helpful
7 Replies 7

Georg Pauwen
VIP
VIP

‎12-29-2019 01:35 PM

Hello,

 

you actually can delete sequence numbers from numbered access lists. Have a look at the syntax below:

 

Router(config)#ip access-list extended 101
Router(config-ext-nacl)#10 permit tcp
Router(config-ext-nacl)#10 permit tcp any any eq 22
Router(config-ext-nacl)#20 permit tcp any any eq 23
Router(config-ext-nacl)#30 permit tcp any any eq 80
Router(config-ext-nacl)#40 permit tcp any any eq 443
Router(config-ext-nacl)#50 permit tcp any any eq 500
Router(config-ext-nacl)#end

 

results in:

 

access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 500

 

Router(config)#ip access-list extended 101
Router(config-ext-nacl)#no 30

 

results in;

 

access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 500

0 Helpful

ChinmayKulkarni
Level 1
Level 1
In response to Georg Pauwen

‎01-03-2020 09:36 AM

Thanks @Georg Pauwen.

I will try this out. Thanks for your help.

0 Helpful

paul driver
VIP
VIP

‎01-03-2020 11:55 AM

Hello

@ChinmayKulkarni wrote:

Hi Experts,

 

I was preparing for my ICND1 exam and was doing test exams from PearsonVue. 

In the question, it was creating an extended numbered access list and wanted to remove a line. Out of two answers, I do not understand the last one i..e."Use the no 30 command in ACL 101 configuration mode" 

 

If I am right, you can only go into ACL configuration in an named list. Is that correct? Or how is this answer correct?

 

Thanks in advance.

CCENTAskQuestion.PNG

No your not correct, you can amend a standard and extended acl so this means either they can be named or numbered acls.

So the two correct answers in the above question would be -

3 & 4

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

bryan mcgann
Level 1
Level 1
In response to paul driver

‎03-22-2023 08:29 AM - edited ‎03-22-2023 08:31 AM

To edit the named or numbered access control list (ACL):

To add record mid-list, If you are trying to insert a new record on a list that has 10, 20, 30, 40 and you want it between 30 and 40 go to >> config, ip access-list ACLNAME. To add a record between 30 and 40:
35 permit ip 10.10.72.0/24 any
This will insert a record with sequence number 35, midway between 30 and 40.

To remove a record:
find the sequence number and then>> config, ip access-list ACLNAME
To remove line number 40 use:
no 40
This will remove the record with sequence number 40

Either of these methods will leave odd numbering sequences so to clean up, you can resequence the list:
(config-acl)# resequence ip access-list ACLNAME 10 10
And it will process the numbering starting from 10 with increments of 10.

I hope that helps.
Bryan McGann

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-22-2023 09:12 AM

I recall (???) initially ACL editing, using ACE statement numbering, was limited to just named ACLs, but not too long after that Cisco extended the feature to non-named ACLs too.

BTW, another feature I recall (?) is you can also delete a named ACL ACE, while in ACL editing mode, by "noing" the whole ACE (i.e. without using a sequence number).

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎03-22-2023 03:01 PM

Brought up a 4331 in PT, and found ACL editor allows deletion, by just entering full ACE regardless whether ACL is named or not.

I.e.:

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended 100
Router(config-ext-nacl)#permit ip host 1.1.1.1 any
Router(config-ext-nacl)#permit ip host 1.1.1.2 any
Router(config-ext-nacl)#permit ip host 1.1.1.3 any
Router(config-ext-nacl)#permit ip host 1.1.1.4 any
Router(config-ext-nacl)#permit ip host 1.1.1.5 any
Router(config-ext-nacl)#do sho run
Building configuration...
.
!
access-list 100 permit ip host 1.1.1.1 any
access-list 100 permit ip host 1.1.1.2 any
access-list 100 permit ip host 1.1.1.3 any
access-list 100 permit ip host 1.1.1.4 any
access-list 100 permit ip host 1.1.1.5 any
!
.
end
Router(config-ext-nacl)#no permit ip host 1.1.1.3 any
Router(config-ext-nacl)#do sh run
Building configuration...
.
!
access-list 100 permit ip host 1.1.1.1 any
access-list 100 permit ip host 1.1.1.2 any
access-list 100 permit ip host 1.1.1.4 any
access-list 100 permit ip host 1.1.1.5 any
!
.
end
Router(config-ext-nacl)#ip access-list extended test
Router(config-ext-nacl)#permit ip host 1.1.1.1 any
Router(config-ext-nacl)#permit ip host 1.1.1.2 any
Router(config-ext-nacl)#permit ip host 1.1.1.3 any
Router(config-ext-nacl)#permit ip host 1.1.1.4 any
Router(config-ext-nacl)#permit ip host 1.1.1.5 any
Router(config-ext-nacl)#do sh run
Building configuration...
.
!
ip access-list extended test
permit ip host 1.1.1.1 any
permit ip host 1.1.1.2 any
permit ip host 1.1.1.3 any
permit ip host 1.1.1.4 any
permit ip host 1.1.1.5 any
!
.
end
Router(config-ext-nacl)#no permit ip host 1.1.1.3 any
Router(config-ext-nacl)#do sh run
Building configuration...
.
!
ip access-list extended test
permit ip host 1.1.1.1 any
permit ip host 1.1.1.2 any
permit ip host 1.1.1.4 any
permit ip host 1.1.1.5 any
!
.
end
Router(config-ext-nacl)#do sho access
Extended IP access list 100
10 permit ip host 1.1.1.1 any
20 permit ip host 1.1.1.2 any
40 permit ip host 1.1.1.4 any
50 permit ip host 1.1.1.5 any
Extended IP access list test
10 permit ip host 1.1.1.1 any
20 permit ip host 1.1.1.2 any
40 permit ip host 1.1.1.4 any
50 permit ip host 1.1.1.5 any

0 Helpful

paul driver
VIP
VIP

‎03-22-2023 12:05 PM

Hello

You can edit extended or standard access-lists named or not without deleting the entire access-list and re-creating it

sh access-lists
Standard IP access list 1
10 permit 1.1.1.1
20 permit 1.1.1.2
30 permit 1.1.1.3
40 permit 1.1.1.4
50 permit 1.1.1.5

Extended IP access list 100
10 permit ip host 1.1.1.1 any
20 permit ip host 1.1.1.2 any
30 permit ip host 1.1.1.3 any
40 permit ip host 1.1.1.4 any
50 permit ip host 1.1.1.5 any

ip access-list standard 1
no 20
20 permit 1.1.1.22


ip access-list extended 100
no 20
20 permit  ip host 1.1.1.22 any




Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card