R1#show access-lists Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www log-input (2 matches) 20 deny tcp host 192.168.0.2 host 192.168.4.1 eq www log-input (2 matches) 30 permit ip any any (12 matches) R1#no acc R1#no acce R1#no ip acc R1#no ip access R1#no ip access-list R1#no ip access-list WEB-FILTER ^ % Invalid input detected at '^' marker. R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#sho R1(config)#no ip acc R1(config)#no ip acce R1(config)#no ip access-list WEB-FILTER 10 ^ % Invalid input detected at '^' marker. R1(config)#no ip access-list WEB-FILTER ^ % Invalid input detected at '^' marker. R1(config)#ip access-list WEB-FILTER ^ % Invalid input detected at '^' marker. R1(config)#no ip access-list extended WEB-FILTER R1(config)#^Z R1#show access-lists *Apr 1 09:20:21.414: %SYS-5-CONFIG_I: Configured from console by console R1#show access-lists R1# R1#sh run | i access ip access-group WEB-FILTER in R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int gig0/2 R1(config-if)#no ip acce R1(config-if)#no ip access-group WEB-FILTER in R1(config-if)#exit R1(config)#^Z R1# *Apr 1 09:21:14.357: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | i access R1#
! standard ACL access-list 1 deny host 192.168.0.1 access-list 1 permit any ! ! extended ACL access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 ! ! Named Standard ACL ip access-list standard ONE-DROP deny host 192.168.0.1 permit 192.168.0.0 0.0.0.255 exit ! ! Named Extended ACL ip access-list extended WEB-FILTER deny tcp host 192.168.0.1 host 192.168.4.1 eq 80 deny tcp host 192.168.0.2 host 192.168.4.1 eq 80 permit ip any any ! ! standard ACL ip access-list standard 2 deny host 192.168.0.1 permit any ! ! extended ACL ip access-list extended 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 ! ! error ip access-list extended 3 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 ! error ip access-list standard 102 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 ! ! Apply ACL int gig0/2 ip access-group WEB-FILTER in exit ! end
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#! standard ACL R1(config)#access-list 1 deny host 192.168.0.1 R1(config)#access-list 1 permit any R1(config)#! R1(config)#! extended ACL R1(config)#$ 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 R1(config)#! R1(config)#! Named Standard ACL R1(config)#ip access-list standard ONE-DROP R1(config-std-nacl)#deny host 192.168.0.1 R1(config-std-nacl)#permit 192.168.0.0 0.0.0.255 R1(config-std-nacl)#exit R1(config)#! R1(config)#! Named Extended ACL R1(config)#ip access-list extended WEB-FILTER R1(config-ext-nacl)#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80 R1(config-ext-nacl)#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80 R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#! R1(config-ext-nacl)#exit R1(config)#ip acce R1(config)#ip access-list standa R1(config)#ip access-list standard 2 R1(config-std-nacl)#den R1(config-std-nacl)#deny host 192.168.0.1 R1(config-std-nacl)#permit any R1(config-std-nacl)#ip access-list 101 ^ % Invalid input detected at '^' marker. R1(config-std-nacl)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 Translating "tcp" ^ % Invalid input detected at '^' marker. R1(config-std-nacl)#ip access-list extended 101 R1(config-ext-nacl)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 R1(config-ext-nacl)#! error R1(config-ext-nacl)#ip access-list extended 3 % % Invalid access list name. R1(config)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 ^ % Invalid input detected at '^' marker. R1(config)#! error R1(config)#ip access-list standard 102 % % Invalid access list name. R1(config)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80 ^ % Invalid input detected at '^' marker. R1(config)#! R1(config)#^Z R1#show *Apr 1 09:24:40.748: %SYS-5-CONFIG_I: Configured from console by console R1#show acc R1#show access-li R1#show access-lists Standard IP access list 1 10 deny 192.168.0.1 20 permit any Standard IP access list 2 10 deny 192.168.0.1 20 permit any Standard IP access list ONE-DROP 10 deny 192.168.0.1 20 permit 192.168.0.0, wildcard bits 0.0.0.255 Extended IP access list 100 10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www Extended IP access list 101 10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www 20 permit ip any any R1#ip access-list extended WEB-FILTER ^ % Invalid input detected at '^' marker. R1#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80 ^ % Invalid input detected at '^' marker. R1#deny tcp host 192.168.0.2 host 192.168.4.1 eq 80 ^ % Invalid input detected at '^' marker. R1#permit ip any any ^ % Invalid input detected at '^' marker. R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip access-list extended WEB-FILTER R1(config-ext-nacl)#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80 R1(config-ext-nacl)#deny tcp host 192.168.0.2 host 192.168.4.1 eq 80 R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#^Z R1# *Apr 1 09:25:31.153: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | in (access-list|permit|deny) ip access-list standard ONE-DROP deny 192.168.0.1 permit 192.168.0.0 0.0.0.255 ip access-list extended WEB-FILTER deny tcp host 192.168.0.1 host 192.168.4.1 eq www permit ip any any deny tcp host 192.168.0.2 host 192.168.4.1 eq www access-list 1 deny 192.168.0.1 access-list 1 permit any access-list 2 deny 192.168.0.1 access-list 2 permit any access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www R1(config)#ip access-list standard 4 R1(config-std-nacl)#exit R1(config)#ip ac R1(config)#ip accc R1(config)#ip acce R1(config)#ip access-list ex R1(config)#ip access-list extended 105 R1(config-ext-nacl)#exit
telnet 192.168.4.1 80 GET /
show access-lists show access-lists 1 show access-lists 100 show access-lists WEB-FILTER show ip access-lists show ip interfaces gig0/2
R1#show access-lists Standard IP access list 1 10 deny 192.168.0.1 20 permit any Standard IP access list 2 10 deny 192.168.0.1 20 permit any Standard IP access list ONE-DROP 10 deny 192.168.0.1 20 permit 192.168.0.0, wildcard bits 0.0.0.255 Extended IP access list 100 10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www Extended IP access list 101 10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 20 permit ip any any (19 matches) 30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www R1#show access-lists 1 Standard IP access list 1 10 deny 192.168.0.1 20 permit any R1#show R1#show ip acce R1#show ip access- R1#show ip access-lists WEB-FI R1#show ip access-lists WEB-FILTER Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 20 permit ip any any (19 matches) 30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www R1#show tcp access-lists ^ % Invalid input detected at '^' marker. R1#show ip access-lists Standard IP access list 1 10 deny 192.168.0.1 20 permit any Standard IP access list 2 10 deny 192.168.0.1 20 permit any Standard IP access list ONE-DROP 10 deny 192.168.0.1 20 permit 192.168.0.0, wildcard bits 0.0.0.255 Extended IP access list 100 10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www Extended IP access list 101 10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 20 permit ip any any (19 matches) 30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www R1#show ipv6 access-lists ^ % Invalid input detected at '^' marker. R1#show ip?access-lists access-lists R1#show icmp access-lists ^ % Invalid input detected at '^' marker.
R1#sh ip int gig0/2 GigabitEthernet0/2 is up, line protocol is up Internet address is 192.168.0.254/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.5 224.0.0.6 Outgoing access list is not set Inbound access list is WEB-FILTER Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is disabled BGP Policy Mapping is disabled Input features: Access List, MCI Check IPv4 WCCP Redirect outbound is disabled IPv4 WCCP Redirect inbound is disabled IPv4 WCCP Redirect exclude is disabled R1#sh ip int gig0/2 | in access Outgoing access list is not set Inbound access list is WEB-FILTER IP access violation accounting is disabled
If you defined following ACL.
configure terminal ! access-list 101 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND access-list 101 permit ip any any ! end
R2#show access-lists Extended IP access list 101 10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND (inactive) 20 permit ip any any (537 matches)
simply you use fllowing no form, entire ACL 101 will be removed…!!
configure terminal ! no access-list 101 permit ip any any ! end
can be delete seq 20 following no form.
configure terminal ! ip access-list extended 101 no 20 ! end
you can also insert after no 20
.
configure terminal ! ip access-list extended 101 10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_2020_HAPPY_NEW_YEAR ! end
R2(config)#do sh access-lists Extended IP access list 101 10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND (inactive) 20 permit ip any any (537 matches) R2(config)#ip access-list extended 101 R2(config-ext-nacl)#no 20 R2(config-ext-nacl)#do sh access-lists Extended IP access list 101 10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND (inactive) R2(config-ext-nacl)# Aug 29 08:38:31.830: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.2.1 (GigabitEthernet0/1) is down: holding time expired
R1#sh access-lists 1 Standard IP access list 1 10 deny 192.168.0.1 20 permit any R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip acce R1(config)#ip access-list sta R1(config)#ip access-list standard 1 R1(config-std-nacl)#15 per R1(config-std-nacl)#15 permit deny 192.168.0.3 Translating "deny" ^ % Invalid input detected at '^' marker. R1(config-std-nacl)#15 permit deny host 192.168.0.3 Translating "deny" ^ % Invalid input detected at '^' marker. R1(config-std-nacl)#15 deny host 192.168.0.3 R1(config-std-nacl)#^Z R1# *Apr 1 10:54:51.764: %SYS-5-CONFIG_I: Configured from console by console R1#sh acc R1#sh access-li R1#sh access-lists 1 Standard IP access list 1 10 deny 192.168.0.1 15 deny 192.168.0.3 20 permit any
R1#sh access-lists WEB-FILTER Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 20 permit ip any any (19 matches) 30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip access R1(config)#ip access-list exten R1(config)#ip access-list extended WEB-FILTER R1(config-ext-nacl)#15 deny tcp R1(config-ext-nacl)#15 deny tcp hos R1(config-ext-nacl)#15 deny tcp host 192.168.0.2 host 192.168.4.1 eq www R1(config-ext-nacl)#^Z R1# *Apr 1 10:57:28.684: %SYS-5-CONFIG_I: Configured from console by console R1#sh acc R1#sh access-li R1#sh access-lists WEB-FILTER Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 20 permit ip any any (19 matches) 30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
not works if duplicate statement exists.
add another statement.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip access-list ext R1(config)#ip access-list extended WEB-FILTER R1(config-ext-nacl)#15 permi R1(config-ext-nacl)#16 permit tcp host 192.168.0.3 host 192.168.4.1 eq www R1(config-ext-nacl)#do sh ip access-list WEB-FILTER Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 16 permit tcp host 192.168.0.3 host 192.168.4.1 eq www 20 permit ip any any (19 matches) 30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
mistake not permit, correct keyword deny. Update.
R1(config-ext-nacl)#16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www % Duplicate sequence number
refused…
R1(config-ext-nacl)#no 16 R1(config-ext-nacl)#do sh ip access-list WEB-FILTER Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 20 permit ip any any (19 matches) 30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www R1(config-ext-nacl)#16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www R1(config-ext-nacl)#do sh ip access-list WEB-FILTER Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www 20 permit ip any any (19 matches) 30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
root@Python,Go,Perl,PHP-3:~# telnet 192.168.4.1 80 Trying 192.168.4.1... telnet: Unable to connect to remote host: No route to host
counter up!
R1(config-ext-nacl)#do sh ip acc WEB-FILTER % Ambiguous command: "do sh ip acc WEB-FILTER" R1(config-ext-nacl)#do sh ip acce WEB-FILTER Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (1 match) 20 permit ip any any (19 matches) 30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www R1(config-ext-nacl)#do sh ip acce WEB-FILTER Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (5 matches) 20 permit ip any any (19 matches) 30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www R1(config-ext-nacl)#exit R1(config)#ip acce % Incomplete command. R1(config)#ip acce WEB-FIL R1(config)#ip acce WEB-FILTER ^ % Invalid input detected at '^' marker. R1(config)#ip access R1(config)#ip acce ext WEB-FILTER R1(config-ext-nacl)#no 30 R1(config-ext-nacl)#15 deny tcp host 192.168.0.2 host 192.168.4.1 eq 80 R1(config-ext-nacl)#do sh ip acce WEB-FILTER Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 15 deny tcp host 192.168.0.2 host 192.168.4.1 eq www 16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (5 matches) 20 permit ip any any (19 matches)
like above.
wrong remove method, this method remove all acl statements!
R1#sh his | in in sh ip int gig0/2 sh ip int gig0/2 | in access sh run | in access-list sh run | in (access-list|permit|deny) sh his | in in R1#sh run | in (access-list|permit|deny) ip access-list standard ONE-DROP deny 192.168.0.1 permit 192.168.0.0 0.0.0.255 ip access-list extended WEB-FILTER deny tcp host 192.168.0.1 host 192.168.4.1 eq www deny tcp host 192.168.0.2 host 192.168.4.1 eq www deny tcp host 192.168.0.3 host 192.168.4.1 eq www permit ip any any access-list 1 deny 192.168.0.1 access-list 1 deny 192.168.0.3 access-list 1 permit any access-list 2 deny 192.168.0.1 access-list 2 permit any access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www R1#show access-lists Standard IP access list 1 10 deny 192.168.0.1 15 deny 192.168.0.3 20 permit any Standard IP access list 2 10 deny 192.168.0.1 20 permit any Standard IP access list ONE-DROP 10 deny 192.168.0.1 20 permit 192.168.0.0, wildcard bits 0.0.0.255 Extended IP access list 100 10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www Extended IP access list 101 10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www Extended IP access list WEB-FILTER 10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match) 15 deny tcp host 192.168.0.2 host 192.168.4.1 eq www 16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (5 matches) 20 permit ip any any (19 matches)
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#no ip acce R1(config)#no ip access-list stan R1(config)#no ip acce R1(config)#no acces R1(config)#no access-list 1 deny host 192.168.0.3 R1(config)#^Z R1#show access-lists *Apr 1 11:14:06.037: %SYS-5-CONFIG_I: Configured from console by console R1#show access-lists 1 R1#sh run | in (access-list|permit|deny) ip access-list standard ONE-DROP deny 192.168.0.1 permit 192.168.0.0 0.0.0.255 ip access-list extended WEB-FILTER deny tcp host 192.168.0.1 host 192.168.4.1 eq www deny tcp host 192.168.0.2 host 192.168.4.1 eq www deny tcp host 192.168.0.3 host 192.168.4.1 eq www permit ip any any access-list 2 deny 192.168.0.1 access-list 2 permit any access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
sadly, access list 1 statements all removed.
correct syntax is following:
access-list 1 permit host 192.168.0.1 access-list 1 permit host 192.168.0.2 access-list 1 permit host 192.168.0.3 access-list 1 permit host 192.168.0.4 access-list 1 permit host 192.168.0.5
R1(config)#access-list 1 permit host 192.168.0.1 R1(config)#access-list 1 permit host 192.168.0.2 R1(config)#access-list 1 permit host 192.168.0.3 R1(config)#access-list 1 permit host 192.168.0.4 R1(config)#access-list 1 permit host 192.168.0.5 R1(config)#do sh acce 1 % Ambiguous command: "do sh acce 1" R1(config)#do sh access-lists 1 Standard IP access list 1 10 permit 192.168.0.1 20 permit 192.168.0.2 30 permit 192.168.0.3 40 permit 192.168.0.4 50 permit 192.168.0.5 R1(config)#ip access-list standa R1(config)#ip access-list standard 1 R1(config-std-nacl)#no 30 R1(config-std-nacl)#exit R1(config)#do sh ip access R1(config)#do sh access R1(config)#do sh access-lis R1(config)#do sh access-lists 1 Standard IP access list 1 10 permit 192.168.0.1 20 permit 192.168.0.2 40 permit 192.168.0.4 50 permit 192.168.0.5