Here's what you see when you do a show run. You can see I've filtered my search to include only the "extended MyACL" section.
cisco3825# sh run | sec extended MyACL
ip access-list extended MyACL
permit tcp any host 10.10.20.20 eq www
permit tcp any host 10.10.40.40 eq www
.....
.....
I need to add a web server entry (10.10.30.30) to this acl. So, I need to find out the line numbers and insert one in between the existing ones...
cisco3825# sh access-lists extended MyACL
Extended IP access list MyACL
10 permit tcp any host 10.10.20.20 eq www (342879 matches)
20 permit tcp any host 10.10.40.40 eq www (365501 matches)
.....
.....
Good, now I can insert any line number from 11-19 with my new entry....
cisco3825# config term
cisco3825(config)# ip access-list extended MyACL
cisco3825(config-ext-nacl)# 15 permit tcp any host 10.10.30.30 eq www
cisco3825(config-ext-nacl)# end
cisco3825#
cisco3825# sh access-lists extended MyACL
Extended IP access list MyACL
10 permit tcp any host 10.10.20.20 eq www (342879 matches)
15 permit tcp any host 10.10.30.30 eq www (16 matches)
20 permit tcp any host 10.10.40.40 eq www (365501 matches)
.....
.....
Voila!!
Now what if you want to remove an entry?
cisco3825# config term
cisco3825(config)# ip access-list extended MyACL
cisco3825(config-ext-nacl)# no 15
cisco3825(config-ext-nacl)# end
cisco3825# write mem
Now it's true that older IOS versions didn't allow such easy management and would require you to remove the entire acl and add it back. First you'd work up your new acl in a text file and copy and paste it into your telnet/ssh session. Something like the following...
cisco3825# config term
cisco3825(config)# no ip access-list extended MyACL
cisco3825(config)# ip access-list extended MyACL
cisco3825(config-ext-nacl)# <paste entries from text file here>
cisco3825(config-ext-nacl)#
cisco3825(config-ext-nacl)#end
cisco3825# write mem
Hope I helped.
If you liked this post please email it to a friend!
No comments:
Post a Comment