Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

New with Cisco 4507, Access List question

Status
Not open for further replies.
Oct 4, 2006
36
US
I know this is probably a really easy question, but this is what I get when I have a consultant set things up and I don't remember how to do things.

We have a 4507 that is our core switch. We have two firewalls that go to different internet providers, but dump on to the same network(172.20.100.x). We've selected two machines that use a different default route sending traffic out the backup circuit. The problem is the devices are on 172.20.1.x network. Our way around this was to create an access list, add the two machines to the access list and then build a route map. If those devices spoke on the network it would for the default route out 172.20.100.9 instead of 172.20.1.1.

I'd like to remove one machine from this access list because it isn't working as well as I wanted. I just don't want to wipe out the entire access list and have to recreate something. Here's a snippet of the config:
interface Vlan4

ip address 172.20.1.1 255.255.255.0
ip helper-address 172.20.30.19
ip helper-address 172.20.1.73
ip policy route-map SSL

logging trap notifications
access-list 1 permit 172.20.1.28
access-list 1 permit 172.20.1.75
!
route-map SSL permit 10
match ip address 1
set ip next-hop 172.20.100.9
!
route-map ssl permit 10

Thanks in advance
 
You can't remove a line from a numbered access list, you will need to recreate the access list with just the host you want in it.
 
You most certainly can add and remove lines in a numbered acl---depends on the IOS. These days, that functionality is built into all of them.

Edge#sh access-list
Standard IP access list 1
10 permit 10.0.0.0, wildcard bits 0.255.255.255
Extended IP access list 101
10 deny ip any 10.68.68.68 0.0.0.3 (18191 matches)
20 permit ip 10.68.68.0 0.0.0.255 any (19986 matches)
Edge#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Edge(config)#ip access-list extended 101
Edge(config-ext-nacl)#30 permit ip any any
Edge(config-ext-nacl)#exi
Edge(config)#exi
Edge#sh access-list
Standard IP access list 1
10 permit 10.0.0.0, wildcard bits 0.255.255.255
Extended IP access list 101
10 deny ip any 10.68.68.68 0.0.0.3 (18191 matches)
20 permit ip 10.68.68.0 0.0.0.255 any (19986 matches)
30 permit ip any any
Edge#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Edge(config)#ip access-list extended 101
Edge(config-ext-nacl)#no 30
Edge(config-ext-nacl)#exi
Edge(config)#exi
Edge#sh access-list
Standard IP access list 1
10 permit 10.0.0.0, wildcard bits 0.255.255.255
Extended IP access list 101
10 deny ip any 10.68.68.68 0.0.0.3 (18191 matches)
20 permit ip 10.68.68.0 0.0.0.255 any (19986 matches)

Burt
 
A numbered acl nowadays is the same as a named access list .
Burt is correct just go into acl config mode and you can add and delete lines as you want and order them any way you want , this started with the 12.2 T train of code , any release above this 12.3 or 12.4 has this capability.
 
I stand corrected, so ignore my post unless you are running an IOS lower then 12.2T.
 
I put a caveat in that named ACL 's have been around longer than 12.2T but they did not have the numbering function before that and you could not put them in specific order like you can now with the number prefixes.
 
Thanks for all the help. I haven't done anything with it yet, but I will.

thank you
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top