Cisco – Editing Cisco Router Extended ACL lists

access-control-listciscoiprouter

I have a Cisco 1921 router where I am using outbound extended access list. Whenever I edit my access lists, it results in losing all IP traffic. I will have about 3 deny statements, and then end with an permit any ip statement.

It works flawlessly, but when I want to edit the list and remove a deny statement, it results in me having to recreate all the statements.

When using Cisco routers and extended access lists, is there a best practice way to edit extended access lists without interrupting all IP traffic? Right now my list has:

access-list 199 deny ip host 10.200.15.159 any

access-list 199 permit ip any any

I went in and removed the acl statement

access-list 199 deny ip host 10.200.15.159 any

but it also removed the second access-list statement, and I don't understand why. It results in every IP losing traffic when I only wanted to remove the deny statement.

EDIT: When I remove the deny statement, it seems to delete the whole extended access list. However, it does not stop any outgoing IP traffic. The minute that I go back to recreate the same list, we lose all IP traffic (probably because I first started with the deny statement).

Additionally, the access-list is directly added to the outbound interface.

Best Answer

If you do a show access-lists command, you get something like:

Router# show access-list 150

 Extended IP access list 150
     10 permit ip host 10.3.3.3 host 172.16.5.34
     20 permit icmp any any
     30 permit tcp any host 10.3.3.3
     40 permit ip host 10.4.4.4 any
     50 Dynamic test permit ip any any
     60 permit ip host 172.16.2.2 host 10.3.3.12
     70 permit ip host 10.3.3.3 any log
     80 permit tcp host 10.3.3.3 host 10.1.2.2
     90 permit ip host 10.3.3.3 any
     100 permit ip any any

You can then insert or delete lines by the line number.

IP Access List Entry Sequence Numbering

Sequencing Access-List Entries and Revising the Access List

This task shows how to assign sequence numbers to entries in a named IP access list and how to add or delete an entry to or from an access list. It is assumed a user wants to revise an access list. The context of this task is the following:

  • A user need not resequence access lists for no reason; resequencing in general is optional. The resequencing step in this task is shown
    as required because that is one purpose of this feature and this task demonstrates the feature.

  • Step 5 happens to be a permit statement and Step 6 happens to be a deny statement, but they need not be in that order.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ip access-list resequence access-list-name starting-sequence-number increment
  4. ip access-list {standard | extended} access-list-name
  5. sequence-number permit source source-wildcard or sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
  6. sequence-number deny source source-wildcard or sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
  7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
  8. end
  9. show ip access-lists access-list-name
Related Topic