01-16-2013 03:24 AM - edited 03-04-2019 06:43 PM
Hello All,
Sorry for this small Question ,I'm on bit confusion
I've a switch with a standard access-list which has more than 100 subnets permited , Now I would like to deny one permited Subnet from the same standard access list .
What is the best way to deny specific subnet which is al ready permited on the standard access-list.
If I use no access-list 1 10.0.0.0 255.0.0.0 , I',m ending up with deleting whole access list 1.
Please suggest
01-16-2013 03:36 AM
Hello Suryanarayana,
you cannot modify the existing ACL on the fly, because as you have noted if you try to delete one statement you delete the whole ACL!
The usual way to deal with this is the following:
Copy the configuration lines of the ACL to a text editor from first line to last
you can use
show run | include access-list 1
to get the desired output
On the text editor do the following:
change the ACL number to a new number for example 83 (must be in the same range according to ACL type)
make all the necessary changes in your case you put an initial line with the new deny statement or you can remove the permit line used up to now.
Take the new ACL from the text editor and copy it into the device configuration to create the new ACL.
Change the configuration so that where the access-list 1 was used, the new acl 83 is used instead
example
no ip access-group 1
ip access-group 83
Hope to help
Giuseppe
01-16-2013 03:37 AM
If your IOS supports it, you can do:
ip access-list standard 1
Then when you're in the acl you can enter the line number that you want to insert. Assuming you have numbers 10,20,30, etc. you could insert 5 like:
5 deny x.x.x.x
If you IOS doesn't support the above syntax, you'd need to copy the acl into a text editor, make your changes, copy everything, delete the existing acl and then paste in the "new" acl that you just copied and modified in your text editor.
HTH,
John
*** Please rate all useful posts ***
01-16-2013 03:57 AM
Hello Giuseppe Larosa/John Blakley,
Thanks for your reply,
Instead of editing with text file delete access list and then copy same access list, I've done the following way:
The following example sets a deny condition for a standard access list named Internetfilter:
ip access-list standard 10
deny 192.5.34.0 0.0.0.255
permit 128.88.0.0 0.0.255.255
permit 36.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)
After this when I see running configuration
I can see first statement with permit 192.5.34.0 0.0.0.255
and then the bottom of ACL 10 I can see deny 192.5.34.0 0.0.0.255 statment still traffic is allowed
as it is matching first statement
best think is use text editor and copy.
01-16-2013 06:26 AM
Hi,
the easiest way if you have the IOS supporting it is John's way:
-show access-list xxxx will give you line numbers
- add your deny with a line number which is lowest by calling the access-list as a named access-list
- delete the line with the permit statement
Regards.
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide