Remove ACL then reapply modified 1

[ncolsgk]

I need to modify acl 199, allowing traffic on the ports below then reapply to intGE0/1, is my syntax correct?

conf t

int GigabitEthernet0/1

no ip access-group 199

*current ACL here*

access-list 199 permit udp any any eq 69
access-list 199 permit tcp any any eq 2000
access-list 199 permit udp any any range 16384 32768

int GigabitEthernet0/1

ip access-group 199 in

exit

wr me

exit

 

[vipergg]

Looks ok but anything else except those few ports will be blocked by the ACL .

 

[ncolsgk]

Do I need to go back into the interface after the last acl 199 line or am I still in it?

 

[plshlpme]

so are you going to replace the current ACL.. or append those three lines to the end of it?

isee that working out unless your acl currently has a deny ip any any at the end of it already...
then those commands you typed will be after the deny and be useless.

if the above is the case and you do have a deny at the end then youll need to remove it.. or sequence these three new entries ahead of it.

conf t
int GigabitEthernet0/1
no ip access-group 199 in
exit
access-list 199 permit udp any any eq 69
access-list 199 permit tcp any any eq 2000
access-list 199 permit udp any any range 16384 32768
int GigabitEthernet0/1
ip access-group 199 in
end
copy run start

 

[burtsbees]

This is not a named access list, so you cannot simply add a few lines to it...you must delete the entire thing and start over.
router#conf t
router(config)#no access-list 199
Then retype the whole thing, including of course the added lines. If it were a named access list, then you could append to it.

Burt

 

[plshlpme]

hey burt.. you can always go into access-list config mode and add and remove entries based on their sequence number..

sequencing needs to be everybodies friend for access-lists.. it makes life much easier

Router_DTE#sh access-lists 123
Extended IP access list 123
10 permit udp any any eq ntp
20 permit udp any eq ntp any
Router_DTE#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router_DTE(config)#ip access-list extended 123
Router_DTE(config-ext-nacl)#15 deny ip 1.1.1.1 0.0.0.255 any
Router_DTE(config-ext-nacl)#end
Router_DTE#sh access-lists 123
Extended IP access list 123
10 permit udp any any eq ntp
15 deny ip 1.1.1.0 0.0.0.255 any
20 permit udp any eq ntp any
Router_DTE#

 

[plshlpme]

and to remove it.. just note the sequence numbers..

Router_DTE#sh access-lists 123
Extended IP access list 123
10 permit udp any any eq ntp
15 deny ip 1.1.1.0 0.0.0.255 any
20 permit udp any eq ntp any
Router_DTE#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router_DTE(config)#ip access-list extended 123
Router_DTE(config-ext-nacl)#no 15
Router_DTE(config-ext-nacl)#end
Router_DTE#conf t
Router_DTE#sh access-lists 123
Extended IP access list 123
10 permit udp any any eq ntp
20 permit udp any eq ntp any
Router_DTE#

 

[burtsbees]

When did THIS start? I either never knew this, or at least this is what I learned, or Cisco introduced this in a newer feature than what we had available in Cisco Academy a few years ago. Interesting---Thanks plshlpme.

Burt

 

[vipergg]

In newer codes you can modify any ACL in ACL config mode , just use something like this.

ip access-list extended 199 then hit enter and it will put you into ACL config mode , it will indicate this int he command line. You can add and delete entries from the ACL . Being able to put the entries in the order you want with the sequence numbers did not start till like 12.2T code .

 

[norteldude78]

I am pretty sure you can always append lines to any ACL in global config mode...you just can't insert them in between statements unless you are in ACL config mode. The implicit deny is at the end of everything (even stuff you append later). Is this not true anymore?

 

[plshlpme]

looks that way..
the implicit deny will always move to the end..
except in some cases people want the deny ip any any at the end for logging purposes.. if thats the case youde have to remove that line and re add it or just put your new entry ahead by sequence...

Router_DTE#sh access-lists 123
Extended IP access list 123
10 permit udp any any eq ntp
20 permit udp any eq ntp any

Router_DTE(config)#access-list 123 permit ip 2.2.2.2 0.0.0.3 any
Router_DTE(config)#end
Router_DTE#sh access-lists 123
Extended IP access list 123
10 permit udp any any eq ntp
20 permit udp any eq ntp any
30 permit ip 2.2.2.0 0.0.0.3 any
Router_DTE#

 

[burtsbees]

You know what...I may be wrong, but I think I remember the output of "sh ip access-list" not listing the acl entries like that...my router here at home does, so perhaps that's a dead giveaway...if it does not list them in order like that, can I assume the append feature is not available for that IOS? Or has it always listed the entries like that?

Burt

 

[ncolsgk]

Wow, very good stuff. Thanks for the feedback.

 

[vipergg]

burtsbee that is not necessarily true , it can still have acl config mode and not have the sequence numbers , the sequencing numbers so that you can stick statements anywhere in the acl did not start until 12.2.T code but acl config mode has been around longer than that . You can try it by just doing a conf t , ip access-list extended 150 , then hit enter and see if it goes into acl config mode , if not then you have real old code that doesn't support that feature. If global acl supports sequencing the number will show up in the show access-list command.

 

[burtsbees]

Well, I'll be...wonder why they taught differently in the Cisco Academy classes...Thanks viper.

Burt