Hi Lulian,

Thanks for your soon reply.

As you said if i do like this, never affect which is related to extended ACL rule in existing list ?

Here's my complete session on my device (check that the acl doesn't exist, create it, check that it's there, remove first line only, check that the second line is still there):

asr1#sh run | i list 105
asr1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
asr1(config)#access-list 105 permit tcp host 10.10.11.1 192.168.10.0 0.0.0.255
asr1(config)#access-list 105 permit tcp host 10.10.11.2 192.168.10.0 0.0.0.255
asr1(config)#^Z
asr1#sh run | i list 105
access-list 105 permit tcp host 10.10.11.1 192.168.10.0 0.0.0.255
access-list 105 permit tcp host 10.10.11.2 192.168.10.0 0.0.0.255
asr1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
asr1(config)#ip acce
asr1(config)#ip access-list ex
asr1(config)#ip access-list extended 105
asr1(config-ext-nacl)#no permit tcp host 10.10.11.1 192.168.10.0 0.0.0.255
asr1(config-ext-nacl)#^Z
asr1#sh run | i list 105
access-list 105 permit tcp host 10.10.11.2 192.168.10.0 0.0.0.255
asr1#

Thanks!.

Check and update you the result.

Hello Chandhuru,

be aware that what Iulian did is to create a named extended ACL with name 105.

With a named extended ACL you can remove a single statement with no impact on other statements.

If you have configured a numbered ACL with number 105, the things are different

I mean:

if you used

conf t

access-list 105 permit tcp host 10.10.11.11 192.168.10.0 0.0.0.255

access-list 105 permit tcp host 10.10.11.12 192.168.10.0 0.0.0.255

this is an older type of ACL and here if you remove one line you remove the whole ACL (numbered ACL).

If this is your case your best move is to configure a new numbered ACL 106 for example that contains all the lines except the one you want to delete and then you apply ACL 106 in place of ACL 105.

This was the old way to do this kind of changes before the introduction of named ACLs.

Hope to help

Giuseppe

Hello Giuseppe,

I'll read more about named vs. numbered ACLs, but I did create the ACL "the old way" (conf t / access list 105 permit ...) and then edited it in the "config-ext-nacl" mode, and it seemed to work...

Anyway, I forgot to recommend that he create another ACL and test on it before working on 105.

Hello Iulian,

the key point is the use of the extended keyword:

if you enter 

ip access-list extended ?

it should ask you for name 

you are creating a named extended ACL as the prompt tells you

config-ext-nacl means exactly that configuration mode of an extended named ACL.

Now, the ASR1000 may be so advanced that all ACLs are named ACLs as it happens in IOS XR in ASR9000, in any case I preferred to advice the original poster of the potential risk of the suggested move.

Hope to help

Giuseppe

Hi Giuseppe/Lulian,

Thanks for your both inputs. Really it will help me in this case. Will do whichever doesn't impact in my existing network and will keep you posted. Thanks!.

Regards,

Chandhuru