11-14-2011 09:38 AM - edited 03-07-2019 03:22 AM
I have a question regarding the 3925 router. In the past on my old 3660's, in order to add a new line to an ACL, I would have to remove the entire ACL and readd it when adding new ACL lines to the list. Is this required on the 3925's, or is it like the ASA 5520's where you can just add an ACL any 'ol time without having to remove/add the entire ACL list?
Thank you in advance!
Solved! Go to Solution.
11-14-2011 10:07 AM
Hi,
for standard and extended ACL the rule is still the same, you have to wipe out the entire ACL and reconfigure the new one BUT as there is now the support for named ACL you can modify any standard or extended ACL by using the named syntax to add/ remove ACE entries.
Here is an example:
access-list 100 permit tcp any host x.x.x.x eq 80
access-list 100 deny udp any host x.x.x.x eq 53
access-list 100 permit ip any any
I you do a show access-list 100 you'll see line numbers, by default
10 access-list 100 permit tcp any host x.x.x.x eq 80
20 access-list 100 deny udp any host x.x.x.x eq 53
30 access-list 100 permit ip any any
Then suppose you want to insert a new line between first and second, do like this:
ip access-list 100 extended
15 deny tcp any host x.x.x.x eq 443
Regards.
Alain
11-14-2011 10:07 AM
Hi,
for standard and extended ACL the rule is still the same, you have to wipe out the entire ACL and reconfigure the new one BUT as there is now the support for named ACL you can modify any standard or extended ACL by using the named syntax to add/ remove ACE entries.
Here is an example:
access-list 100 permit tcp any host x.x.x.x eq 80
access-list 100 deny udp any host x.x.x.x eq 53
access-list 100 permit ip any any
I you do a show access-list 100 you'll see line numbers, by default
10 access-list 100 permit tcp any host x.x.x.x eq 80
20 access-list 100 deny udp any host x.x.x.x eq 53
30 access-list 100 permit ip any any
Then suppose you want to insert a new line between first and second, do like this:
ip access-list 100 extended
15 deny tcp any host x.x.x.x eq 443
Regards.
Alain
11-14-2011 12:33 PM
"ip access-list 100 extended" (should be "extended 100")
ip access-list extended 100 worked
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide