Jan
03

Hi Brian,

I’ve heard that items in a numbered ACL can be deleted without taking down the entire ACL. Is it true and how?

In newer IOS versions sequence numbers can be used to quickly edit, add, and remove entries from a named extended access-list. However in all IOS versions that support named extended access-lists, numbered extended access-lists can actually be treated like named lists where their name is the number. Without sequence numbers you can’t add or edit lines, but if you need to remove a single line from somewhere in the list without deleting it you can. Take the following example:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#access-list 100 permit tcp any any
R1(config)#access-list 100 permit udp any any
R1(config)#access-list 100 permit ospf any any
R1(config)#access-list 100 permit eigrp any any
R1(config)#do show access-list 100
Extended IP access list 100
    permit tcp any any
    permit udp any any
    permit ospf any any
    permit eigrp any any

Now let’s suppose that we want to remove the second line that permits udp. Normally we would have to say “no access-list 100″, then recreate the list without line number two. However by treating this like a named access-list we have a second option:

R1(config)#ip access-list extended 100
R1(config-ext-nacl)#no permit udp any any
R1(config-ext-nacl)#end

R1#show access-list 100
Extended IP access list 100
    permit tcp any any
    permit ospf any any
    permit eigrp any any

Tada! The list stays intact but the second line has been removed.

About Brian McGahan, CCIE #8593, CCDE #2013::13:

Brian McGahan was one of the youngest engineers in the world to obtain the CCIE, having achieved his first CCIE in Routing & Switching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 10 years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing new products Brian consults with large ISPs and enterprise customers in the midwest region of the United States.

Find all posts by Brian McGahan, CCIE #8593, CCDE #2013::13 | Visit Website


You can leave a response, or trackback from your own site.

One Response to “Editing Numbered Access-Lists On The Fly”

 
  1. fornetti says:

    I do not believe this

 

Leave a Reply

Categories

CCIE Bloggers