access list being overwritten, is it true?
lon21
Member Posts: 201
in CCNA & CCENT
Hi,
Is it true that when you add a access-list to a non ip access-list all other access lists are overwritten with the one you recently have entered?
I believe this is not the case for named access-list.
I have tried both on packet tracer and non are overwritten?
Is it true that when you add a access-list to a non ip access-list all other access lists are overwritten with the one you recently have entered?
I believe this is not the case for named access-list.
I have tried both on packet tracer and non are overwritten?
Comments
-
tomaifauchai
Member Posts: 301 ■■■□□□□□□□
Nothing is being overwritten. The only drawback of non-named access-lists is that you can't resequence them and squeeze a new statement between 2 others. -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
I'm not sure of what you're asking, but there are cases where you need to be careful when editing access-lists.
1. In older versions of code there was no way to edit a numbered ACL so executing a command like "no access-list 101 permit tcp host 1.2.3.4 any eq 22" would not remove the individual matching line but it would blow away the whole access-list 101
2. If you apply an empty ACL to an interface it results in a deny-all because of the implicit deny any any at the end.
also you can edit a numbered ACL starting in a 12.2 code release the same way you edit named ACLs (IOS treats numbered acls just like named ones)
so:
R1(config)#ip access-list resequence ?
<1-99> Standard IP access-list number
<100-199> Extended IP access-list number
<1300-1999> Standard IP access-list number (expanded range)
<2000-2699> Extended IP access list number (expanded range)
WORD Access-list name
R1(config)#ip access-list resequence 101 ?
<1-2147483647> Starting Sequence Number
R1(config)#ip access-list resequence 101 10 ?
<1-2147483647> Step to increment the sequence number
R1(config)#ip access-list resequence 101 10 10
The first "10" tells the router what the starting sequence number should be and the second "10" indicates the increment between line numbers
A few examples:
R1(config)#access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq 80
R1(config)#access-list 101 permit udp host 4.4.4.4 host 8.8.8.8 eq 22
R1(config)#access-list 101 permit tcp host 12.12.12.12 host 3.3.3.3 eq 443
R1(config)#
R1(config)#do sho access-list 101
Extended IP access list 101
10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
20 permit udp host 4.4.4.4 host 8.8.8.8 eq 22
30 permit tcp host 12.12.12.12 host 3.3.3.3 eq 443
R1(config)#ip access-list resequence 101 10 5
R1(config)#do sho access-list 101
Extended IP access list 101
10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
15 permit udp host 4.4.4.4 host 8.8.8.8 eq 22
20 permit tcp host 12.12.12.12 host 3.3.3.3 eq 443
R1(config)#ip access-list resequence 101 100 20
R1(config)#do sho access-list 101
Extended IP access list 101
100 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
120 permit udp host 4.4.4.4 host 8.8.8.8 eq 22
140 permit tcp host 12.12.12.12 host 3.3.3.3 eq 443
R1(config)#ip access-list extended 101
R1(config-ext-nacl)#no 140
R1(config-ext-nacl)#do sho access-list 101
Extended IP access list 101
100 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
120 permit udp host 4.4.4.4 host 8.8.8.8 eq 22
R1(config-ext-nacl)#The only easy day was yesterday!