Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
4
Replies

Standard Access lists

Chts
Level 1
Level 1

‎01-16-2013 03:24 AM - edited ‎03-04-2019 06:43 PM

Hello All,

Sorry for this small Question ,I'm on bit confusion

I've a switch with a standard access-list which has more than 100 subnets permited , Now I would like to deny one permited Subnet from the same standard access list .

What is the best way to deny specific subnet which is al ready permited on the standard access-list.

If I use no access-list 1 10.0.0.0 255.0.0.0 , I',m ending up with deleting whole access list 1.

Please suggest

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-16-2013 03:36 AM

Hello Suryanarayana,

you cannot modify the existing ACL on the fly, because as you have noted if you try to delete one statement you delete the whole ACL!

The usual way to deal with this is the following:

Copy the configuration lines of the ACL to a text editor from first line to last

you can use

show run | include access-list 1

to get the desired output

On the text editor do the following:

change the ACL number to a new number for example 83 (must be in the same range according to ACL type)

make all the necessary changes in your case you put an initial line with the new deny statement or you can remove the permit line used up to now.

Take the new ACL from the text editor and copy it into the device configuration to create the new ACL.

Change the configuration so that where the access-list 1 was used, the new acl 83 is used instead

example

no ip access-group 1

ip access-group 83

Hope to help

Giuseppe

0 Helpful

John Blakley
VIP Alumni
VIP Alumni

‎01-16-2013 03:37 AM

If your IOS supports it, you can do:

ip access-list standard 1

Then when you're in the acl you can enter the line number that you want to insert. Assuming you have numbers 10,20,30, etc. you could insert 5 like:

5 deny x.x.x.x

If you IOS doesn't support the above syntax, you'd need to copy the acl into a text editor, make your changes, copy everything, delete the existing acl and then paste in the "new" acl that you just copied and modified in your text editor.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Chts
Level 1
Level 1
In response to John Blakley

‎01-16-2013 03:57 AM

Hello Giuseppe Larosa/John Blakley,

Thanks for your reply,

Instead of editing with text file  delete access list and then copy same access list, I've done the following way:

Example

The following example sets a deny condition for a standard access list named Internetfilter: 

ip access-list standard 10 
 deny 192.5.34.0  0.0.0.255


 permit 128.88.0.0  0.0.255.255


 permit 36.0.0.0  0.255.255.255


! (Note: all other access implicitly denied) 
 
 
After this when I see running configuration 
 
 I can see first statement with permit 192.5.34.0 0.0.0.255
 
 and then the bottom of ACL 10 I can see deny 192.5.34.0  0.0.0.255 statment still traffic is allowed 
 as it is matching first statement
 
 best think is use text editor and copy.
0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Chts

‎01-16-2013 06:26 AM

Hi,

the easiest way if you have the IOS supporting it is John's way:

-show access-list xxxx will give you line numbers

- add your deny with a line number which is lowest by calling the access-list as a named access-list

- delete the line with the permit statement

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card