tech:network:cisco:show-edit-acl:show-edit-acl
Table of Contents
show and edit ACLs
R1#show access-lists
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www log-input (2 matches)
20 deny tcp host 192.168.0.2 host 192.168.4.1 eq www log-input (2 matches)
30 permit ip any any (12 matches)
R1#no acc
R1#no acce
R1#no ip acc
R1#no ip access
R1#no ip access-list
R1#no ip access-list WEB-FILTER
^
% Invalid input detected at '^' marker.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#sho
R1(config)#no ip acc
R1(config)#no ip acce
R1(config)#no ip access-list WEB-FILTER 10
^
% Invalid input detected at '^' marker.
R1(config)#no ip access-list WEB-FILTER
^
% Invalid input detected at '^' marker.
R1(config)#ip access-list WEB-FILTER
^
% Invalid input detected at '^' marker.
R1(config)#no ip access-list extended WEB-FILTER
R1(config)#^Z
R1#show access-lists
*Apr 1 09:20:21.414: %SYS-5-CONFIG_I: Configured from console by console
R1#show access-lists
R1#
R1#sh run | i access
ip access-group WEB-FILTER in
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int gig0/2
R1(config-if)#no ip acce
R1(config-if)#no ip access-group WEB-FILTER in
R1(config-if)#exit
R1(config)#^Z
R1#
*Apr 1 09:21:14.357: %SYS-5-CONFIG_I: Configured from console by console
R1#sh run | i access
R1#
! standard ACL access-list 1 deny host 192.168.0.1 access-list 1 permit any ! ! extended ACL access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 ! ! Named Standard ACL ip access-list standard ONE-DROP deny host 192.168.0.1 permit 192.168.0.0 0.0.0.255 exit ! ! Named Extended ACL ip access-list extended WEB-FILTER deny tcp host 192.168.0.1 host 192.168.4.1 eq 80 deny tcp host 192.168.0.2 host 192.168.4.1 eq 80 permit ip any any ! ! standard ACL ip access-list standard 2 deny host 192.168.0.1 permit any ! ! extended ACL ip access-list extended 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 ! ! error ip access-list extended 3 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 ! error ip access-list standard 102 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 ! ! Apply ACL int gig0/2 ip access-group WEB-FILTER in exit ! end
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#! standard ACL
R1(config)#access-list 1 deny host 192.168.0.1
R1(config)#access-list 1 permit any
R1(config)#!
R1(config)#! extended ACL
R1(config)#$ 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
R1(config)#!
R1(config)#! Named Standard ACL
R1(config)#ip access-list standard ONE-DROP
R1(config-std-nacl)#deny host 192.168.0.1
R1(config-std-nacl)#permit 192.168.0.0 0.0.0.255
R1(config-std-nacl)#exit
R1(config)#!
R1(config)#! Named Extended ACL
R1(config)#ip access-list extended WEB-FILTER
R1(config-ext-nacl)#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80
R1(config-ext-nacl)#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#!
R1(config-ext-nacl)#exit
R1(config)#ip acce
R1(config)#ip access-list standa
R1(config)#ip access-list standard 2
R1(config-std-nacl)#den
R1(config-std-nacl)#deny host 192.168.0.1
R1(config-std-nacl)#permit any
R1(config-std-nacl)#ip access-list 101
^
% Invalid input detected at '^' marker.
R1(config-std-nacl)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
Translating "tcp"
^
% Invalid input detected at '^' marker.
R1(config-std-nacl)#ip access-list extended 101
R1(config-ext-nacl)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
R1(config-ext-nacl)#! error
R1(config-ext-nacl)#ip access-list extended 3
%
% Invalid access list name.
R1(config)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
^
% Invalid input detected at '^' marker.
R1(config)#! error
R1(config)#ip access-list standard 102
%
% Invalid access list name.
R1(config)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
^
% Invalid input detected at '^' marker.
R1(config)#!
R1(config)#^Z
R1#show
*Apr 1 09:24:40.748: %SYS-5-CONFIG_I: Configured from console by console
R1#show acc
R1#show access-li
R1#show access-lists
Standard IP access list 1
10 deny 192.168.0.1
20 permit any
Standard IP access list 2
10 deny 192.168.0.1
20 permit any
Standard IP access list ONE-DROP
10 deny 192.168.0.1
20 permit 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 100
10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list 101
10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www
20 permit ip any any
R1#ip access-list extended WEB-FILTER
^
% Invalid input detected at '^' marker.
R1#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80
^
% Invalid input detected at '^' marker.
R1#deny tcp host 192.168.0.2 host 192.168.4.1 eq 80
^
% Invalid input detected at '^' marker.
R1#permit ip any any
^
% Invalid input detected at '^' marker.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended WEB-FILTER
R1(config-ext-nacl)#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80
R1(config-ext-nacl)#deny tcp host 192.168.0.2 host 192.168.4.1 eq 80
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#^Z
R1#
*Apr 1 09:25:31.153: %SYS-5-CONFIG_I: Configured from console by console
R1#sh run | in (access-list|permit|deny)
ip access-list standard ONE-DROP
deny 192.168.0.1
permit 192.168.0.0 0.0.0.255
ip access-list extended WEB-FILTER
deny tcp host 192.168.0.1 host 192.168.4.1 eq www
permit ip any any
deny tcp host 192.168.0.2 host 192.168.4.1 eq www
access-list 1 deny 192.168.0.1
access-list 1 permit any
access-list 2 deny 192.168.0.1
access-list 2 permit any
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
R1(config)#ip access-list standard 4
R1(config-std-nacl)#exit
R1(config)#ip ac
R1(config)#ip accc
R1(config)#ip acce
R1(config)#ip access-list ex
R1(config)#ip access-list extended 105
R1(config-ext-nacl)#exit
show commands
telnet 192.168.4.1 80 GET /
show access-lists show access-lists 1 show access-lists 100 show access-lists WEB-FILTER show ip access-lists show ip interfaces gig0/2
R1#show access-lists
Standard IP access list 1
10 deny 192.168.0.1
20 permit any
Standard IP access list 2
10 deny 192.168.0.1
20 permit any
Standard IP access list ONE-DROP
10 deny 192.168.0.1
20 permit 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 100
10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list 101
10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
20 permit ip any any (19 matches)
30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1#show access-lists 1
Standard IP access list 1
10 deny 192.168.0.1
20 permit any
R1#show
R1#show ip acce
R1#show ip access-
R1#show ip access-lists WEB-FI
R1#show ip access-lists WEB-FILTER
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
20 permit ip any any (19 matches)
30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1#show tcp access-lists
^
% Invalid input detected at '^' marker.
R1#show ip access-lists
Standard IP access list 1
10 deny 192.168.0.1
20 permit any
Standard IP access list 2
10 deny 192.168.0.1
20 permit any
Standard IP access list ONE-DROP
10 deny 192.168.0.1
20 permit 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 100
10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list 101
10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
20 permit ip any any (19 matches)
30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1#show ipv6 access-lists
^
% Invalid input detected at '^' marker.
R1#show ip?access-lists
access-lists
R1#show icmp access-lists
^
% Invalid input detected at '^' marker.
R1#sh ip int gig0/2 GigabitEthernet0/2 is up, line protocol is up Internet address is 192.168.0.254/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.5 224.0.0.6 Outgoing access list is not set Inbound access list is WEB-FILTER Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is disabled BGP Policy Mapping is disabled Input features: Access List, MCI Check IPv4 WCCP Redirect outbound is disabled IPv4 WCCP Redirect inbound is disabled IPv4 WCCP Redirect exclude is disabled R1#sh ip int gig0/2 | in access Outgoing access list is not set Inbound access list is WEB-FILTER IP access violation accounting is disabled
edit ACL statements
Remove or replace specific ACL rule
If you defined following ACL.
configure terminal ! access-list 101 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND access-list 101 permit ip any any ! end
R2#show access-lists
Extended IP access list 101
10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND (inactive)
20 permit ip any any (537 matches)
simply you use fllowing no form, entire ACL 101 will be removed…!!
configure terminal ! no access-list 101 permit ip any any ! end
can be delete seq 20 following no form.
configure terminal ! ip access-list extended 101 no 20 ! end
you can also insert after no 20.
configure terminal ! ip access-list extended 101 10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_2020_HAPPY_NEW_YEAR ! end
R2(config)#do sh access-lists
Extended IP access list 101
10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND (inactive)
20 permit ip any any (537 matches)
R2(config)#ip access-list extended 101
R2(config-ext-nacl)#no 20
R2(config-ext-nacl)#do sh access-lists
Extended IP access list 101
10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND (inactive)
R2(config-ext-nacl)#
Aug 29 08:38:31.830: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.2.1 (GigabitEthernet0/1) is down: holding time expired
Add ACL statements
R1#sh access-lists 1
Standard IP access list 1
10 deny 192.168.0.1
20 permit any
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip acce
R1(config)#ip access-list sta
R1(config)#ip access-list standard 1
R1(config-std-nacl)#15 per
R1(config-std-nacl)#15 permit deny 192.168.0.3
Translating "deny"
^
% Invalid input detected at '^' marker.
R1(config-std-nacl)#15 permit deny host 192.168.0.3
Translating "deny"
^
% Invalid input detected at '^' marker.
R1(config-std-nacl)#15 deny host 192.168.0.3
R1(config-std-nacl)#^Z
R1#
*Apr 1 10:54:51.764: %SYS-5-CONFIG_I: Configured from console by console
R1#sh acc
R1#sh access-li
R1#sh access-lists 1
Standard IP access list 1
10 deny 192.168.0.1
15 deny 192.168.0.3
20 permit any
R1#sh access-lists WEB-FILTER
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
20 permit ip any any (19 matches)
30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access
R1(config)#ip access-list exten
R1(config)#ip access-list extended WEB-FILTER
R1(config-ext-nacl)#15 deny tcp
R1(config-ext-nacl)#15 deny tcp hos
R1(config-ext-nacl)#15 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1(config-ext-nacl)#^Z
R1#
*Apr 1 10:57:28.684: %SYS-5-CONFIG_I: Configured from console by console
R1#sh acc
R1#sh access-li
R1#sh access-lists WEB-FILTER
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
20 permit ip any any (19 matches)
30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
not works if duplicate statement exists.
add another statement.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list ext
R1(config)#ip access-list extended WEB-FILTER
R1(config-ext-nacl)#15 permi
R1(config-ext-nacl)#16 permit tcp host 192.168.0.3 host 192.168.4.1 eq www
R1(config-ext-nacl)#do sh ip access-list WEB-FILTER
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
16 permit tcp host 192.168.0.3 host 192.168.4.1 eq www
20 permit ip any any (19 matches)
30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
mistake not permit, correct keyword deny.
Update.
R1(config-ext-nacl)#16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www % Duplicate sequence number
refused…
R1(config-ext-nacl)#no 16
R1(config-ext-nacl)#do sh ip access-list WEB-FILTER
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
20 permit ip any any (19 matches)
30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1(config-ext-nacl)#16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www
R1(config-ext-nacl)#do sh ip access-list WEB-FILTER
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www
20 permit ip any any (19 matches)
30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
root@Python,Go,Perl,PHP-3:~# telnet 192.168.4.1 80 Trying 192.168.4.1... telnet: Unable to connect to remote host: No route to host
counter up!
R1(config-ext-nacl)#do sh ip acc WEB-FILTER
% Ambiguous command: "do sh ip acc WEB-FILTER"
R1(config-ext-nacl)#do sh ip acce WEB-FILTER
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (1 match)
20 permit ip any any (19 matches)
30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1(config-ext-nacl)#do sh ip acce WEB-FILTER
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (5 matches)
20 permit ip any any (19 matches)
30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1(config-ext-nacl)#exit
R1(config)#ip acce
% Incomplete command.
R1(config)#ip acce WEB-FIL
R1(config)#ip acce WEB-FILTER
^
% Invalid input detected at '^' marker.
R1(config)#ip access
R1(config)#ip acce ext WEB-FILTER
R1(config-ext-nacl)#no 30
R1(config-ext-nacl)#15 deny tcp host 192.168.0.2 host 192.168.4.1 eq 80
R1(config-ext-nacl)#do sh ip acce WEB-FILTER
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
15 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (5 matches)
20 permit ip any any (19 matches)
Delete ACL statements
like above.
wrong remove method, this method remove all acl statements!
R1#sh his | in in
sh ip int gig0/2
sh ip int gig0/2 | in access
sh run | in access-list
sh run | in (access-list|permit|deny)
sh his | in in
R1#sh run | in (access-list|permit|deny)
ip access-list standard ONE-DROP
deny 192.168.0.1
permit 192.168.0.0 0.0.0.255
ip access-list extended WEB-FILTER
deny tcp host 192.168.0.1 host 192.168.4.1 eq www
deny tcp host 192.168.0.2 host 192.168.4.1 eq www
deny tcp host 192.168.0.3 host 192.168.4.1 eq www
permit ip any any
access-list 1 deny 192.168.0.1
access-list 1 deny 192.168.0.3
access-list 1 permit any
access-list 2 deny 192.168.0.1
access-list 2 permit any
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
R1#show access-lists
Standard IP access list 1
10 deny 192.168.0.1
15 deny 192.168.0.3
20 permit any
Standard IP access list 2
10 deny 192.168.0.1
20 permit any
Standard IP access list ONE-DROP
10 deny 192.168.0.1
20 permit 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 100
10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list 101
10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list WEB-FILTER
10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
15 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (5 matches)
20 permit ip any any (19 matches)
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#no ip acce R1(config)#no ip access-list stan R1(config)#no ip acce R1(config)#no acces R1(config)#no access-list 1 deny host 192.168.0.3 R1(config)#^Z R1#show access-lists *Apr 1 11:14:06.037: %SYS-5-CONFIG_I: Configured from console by console R1#show access-lists 1 R1#sh run | in (access-list|permit|deny) ip access-list standard ONE-DROP deny 192.168.0.1 permit 192.168.0.0 0.0.0.255 ip access-list extended WEB-FILTER deny tcp host 192.168.0.1 host 192.168.4.1 eq www deny tcp host 192.168.0.2 host 192.168.4.1 eq www deny tcp host 192.168.0.3 host 192.168.4.1 eq www permit ip any any access-list 2 deny 192.168.0.1 access-list 2 permit any access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
sadly, access list 1 statements all removed.
correct syntax is following:
access-list 1 permit host 192.168.0.1 access-list 1 permit host 192.168.0.2 access-list 1 permit host 192.168.0.3 access-list 1 permit host 192.168.0.4 access-list 1 permit host 192.168.0.5
R1(config)#access-list 1 permit host 192.168.0.1
R1(config)#access-list 1 permit host 192.168.0.2
R1(config)#access-list 1 permit host 192.168.0.3
R1(config)#access-list 1 permit host 192.168.0.4
R1(config)#access-list 1 permit host 192.168.0.5
R1(config)#do sh acce 1
% Ambiguous command: "do sh acce 1"
R1(config)#do sh access-lists 1
Standard IP access list 1
10 permit 192.168.0.1
20 permit 192.168.0.2
30 permit 192.168.0.3
40 permit 192.168.0.4
50 permit 192.168.0.5
R1(config)#ip access-list standa
R1(config)#ip access-list standard 1
R1(config-std-nacl)#no 30
R1(config-std-nacl)#exit
R1(config)#do sh ip access
R1(config)#do sh access
R1(config)#do sh access-lis
R1(config)#do sh access-lists 1
Standard IP access list 1
10 permit 192.168.0.1
20 permit 192.168.0.2
40 permit 192.168.0.4
50 permit 192.168.0.5
References
tech/network/cisco/show-edit-acl/show-edit-acl.txt · Last modified: 2020/08/30 10:30 by wnoguchi
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
