PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:show-edit-acl:show-edit-acl

show and edit ACLs

Virtual Lab

R1#show access-lists
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www log-input (2 matches)
    20 deny tcp host 192.168.0.2 host 192.168.4.1 eq www log-input (2 matches)
    30 permit ip any any (12 matches)
R1#no acc
R1#no acce
R1#no ip acc
R1#no ip access
R1#no ip access-list
R1#no ip access-list WEB-FILTER
      ^
% Invalid input detected at '^' marker.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#sho
R1(config)#no ip acc
R1(config)#no ip acce
R1(config)#no ip access-list WEB-FILTER 10
                             ^
% Invalid input detected at '^' marker.

R1(config)#no ip access-list WEB-FILTER
                             ^
% Invalid input detected at '^' marker.

R1(config)#ip access-list WEB-FILTER
                          ^
% Invalid input detected at '^' marker.

R1(config)#no ip access-list extended WEB-FILTER
R1(config)#^Z
R1#show access-lists
*Apr  1 09:20:21.414: %SYS-5-CONFIG_I: Configured from console by console
R1#show access-lists
R1#
R1#sh run | i access
 ip access-group WEB-FILTER in
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int gig0/2
R1(config-if)#no ip acce
R1(config-if)#no ip access-group WEB-FILTER in
R1(config-if)#exit
R1(config)#^Z
R1#
*Apr  1 09:21:14.357: %SYS-5-CONFIG_I: Configured from console by console
R1#sh run | i access
R1#
! standard ACL
access-list 1 deny host 192.168.0.1
access-list 1 permit any
!
! extended ACL
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
!
! Named Standard ACL
ip access-list standard ONE-DROP
deny host 192.168.0.1
permit 192.168.0.0 0.0.0.255
exit
!
! Named Extended ACL
ip access-list extended WEB-FILTER
deny tcp host 192.168.0.1 host 192.168.4.1 eq 80
deny tcp host 192.168.0.2 host 192.168.4.1 eq 80
permit ip any any
!
! standard ACL
ip access-list standard 2
deny host 192.168.0.1
permit any
!
! extended ACL
ip access-list extended 101
permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
!
! error
ip access-list extended 3
permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
! error
ip access-list standard 102
permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
!
! Apply ACL
int gig0/2
ip access-group WEB-FILTER in
exit
!
end
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#! standard ACL
R1(config)#access-list 1 deny host 192.168.0.1
R1(config)#access-list 1 permit any
R1(config)#!
R1(config)#! extended ACL
R1(config)#$ 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
R1(config)#!
R1(config)#! Named Standard ACL
R1(config)#ip access-list standard ONE-DROP
R1(config-std-nacl)#deny host 192.168.0.1
R1(config-std-nacl)#permit 192.168.0.0 0.0.0.255
R1(config-std-nacl)#exit
R1(config)#!
R1(config)#! Named Extended ACL
R1(config)#ip access-list extended WEB-FILTER
R1(config-ext-nacl)#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80
R1(config-ext-nacl)#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#!
R1(config-ext-nacl)#exit
R1(config)#ip acce
R1(config)#ip access-list standa
R1(config)#ip access-list standard 2
R1(config-std-nacl)#den
R1(config-std-nacl)#deny host 192.168.0.1
R1(config-std-nacl)#permit any
R1(config-std-nacl)#ip access-list 101
                    ^
% Invalid input detected at '^' marker.

R1(config-std-nacl)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
Translating "tcp"
                           ^
% Invalid input detected at '^' marker.

R1(config-std-nacl)#ip access-list extended 101
R1(config-ext-nacl)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
R1(config-ext-nacl)#! error
R1(config-ext-nacl)#ip access-list extended 3
%
% Invalid access list name.
R1(config)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
              ^
% Invalid input detected at '^' marker.

R1(config)#! error
R1(config)#ip access-list standard 102
%
% Invalid access list name.
R1(config)#permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq 80
              ^
% Invalid input detected at '^' marker.

R1(config)#!
R1(config)#^Z
R1#show
*Apr  1 09:24:40.748: %SYS-5-CONFIG_I: Configured from console by console
R1#show acc
R1#show access-li
R1#show access-lists
Standard IP access list 1
    10 deny   192.168.0.1
    20 permit any
Standard IP access list 2
    10 deny   192.168.0.1
    20 permit any
Standard IP access list ONE-DROP
    10 deny   192.168.0.1
    20 permit 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 100
    10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list 101
    10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www
    20 permit ip any any
R1#ip access-list extended WEB-FILTER
      ^
% Invalid input detected at '^' marker.

R1#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80
     ^
% Invalid input detected at '^' marker.

R1#deny tcp host 192.168.0.2 host 192.168.4.1 eq 80
     ^
% Invalid input detected at '^' marker.

R1#permit ip any any
    ^
% Invalid input detected at '^' marker.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip access-list extended WEB-FILTER
R1(config-ext-nacl)#deny tcp host 192.168.0.1 host 192.168.4.1 eq 80
R1(config-ext-nacl)#deny tcp host 192.168.0.2 host 192.168.4.1 eq 80
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#^Z
R1#
*Apr  1 09:25:31.153: %SYS-5-CONFIG_I: Configured from console by console

R1#sh run | in (access-list|permit|deny)
ip access-list standard ONE-DROP
 deny   192.168.0.1
 permit 192.168.0.0 0.0.0.255
ip access-list extended WEB-FILTER
 deny   tcp host 192.168.0.1 host 192.168.4.1 eq www
 permit ip any any
 deny   tcp host 192.168.0.2 host 192.168.4.1 eq www
access-list 1 deny   192.168.0.1
access-list 1 permit any
access-list 2 deny   192.168.0.1
access-list 2 permit any
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www


R1(config)#ip access-list standard 4
R1(config-std-nacl)#exit
R1(config)#ip ac
R1(config)#ip accc
R1(config)#ip acce
R1(config)#ip access-list ex
R1(config)#ip access-list extended 105
R1(config-ext-nacl)#exit

show commands

telnet 192.168.4.1 80
GET /
show access-lists
show access-lists 1
show access-lists 100
show access-lists WEB-FILTER
show ip access-lists

show ip interfaces gig0/2
R1#show access-lists
Standard IP access list 1
    10 deny   192.168.0.1
    20 permit any
Standard IP access list 2
    10 deny   192.168.0.1
    20 permit any
Standard IP access list ONE-DROP
    10 deny   192.168.0.1
    20 permit 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 100
    10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list 101
    10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    20 permit ip any any (19 matches)
    30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1#show access-lists 1
Standard IP access list 1
    10 deny   192.168.0.1
    20 permit any
R1#show
R1#show ip acce
R1#show ip access-
R1#show ip access-lists WEB-FI
R1#show ip access-lists WEB-FILTER
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    20 permit ip any any (19 matches)
    30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1#show tcp access-lists
             ^
% Invalid input detected at '^' marker.

R1#show ip access-lists
Standard IP access list 1
    10 deny   192.168.0.1
    20 permit any
Standard IP access list 2
    10 deny   192.168.0.1
    20 permit any
Standard IP access list ONE-DROP
    10 deny   192.168.0.1
    20 permit 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 100
    10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list 101
    10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    20 permit ip any any (19 matches)
    30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1#show ipv6 access-lists
                        ^
% Invalid input detected at '^' marker.

R1#show ip?access-lists
access-lists

R1#show icmp access-lists
         ^
% Invalid input detected at '^' marker.
R1#sh ip int gig0/2
GigabitEthernet0/2 is up, line protocol is up
  Internet address is 192.168.0.254/24
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.5 224.0.0.6
  Outgoing access list is not set
  Inbound  access list is WEB-FILTER
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  Input features: Access List, MCI Check
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled

R1#sh ip int gig0/2 | in access
  Outgoing access list is not set
  Inbound  access list is WEB-FILTER
  IP access violation accounting is disabled

edit ACL statements

Remove or replace specific ACL rule

If you defined following ACL.

configure terminal
!
access-list 101 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND
access-list 101 permit ip any any
!
end
R2#show access-lists 
Extended IP access list 101
    10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND (inactive)
    20 permit ip any any (537 matches)

simply you use fllowing no form, entire ACL 101 will be removed…!!

configure terminal
!
no access-list 101 permit ip any any
!
end

can be delete seq 20 following no form.

configure terminal
!
ip access-list extended 101
 no 20
!
end

you can also insert after no 20.

configure terminal
!
ip access-list extended 101
 10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_2020_HAPPY_NEW_YEAR
!
end
R2(config)#do sh access-lists 
Extended IP access list 101
    10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND (inactive)
    20 permit ip any any (537 matches)
R2(config)#ip access-list extended 101
R2(config-ext-nacl)#no 20
R2(config-ext-nacl)#do sh access-lists         
Extended IP access list 101
    10 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_WEEKEND (inactive)
R2(config-ext-nacl)#
Aug 29 08:38:31.830: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.2.1 (GigabitEthernet0/1) is down: holding time expired

Add ACL statements

R1#sh access-lists 1
Standard IP access list 1
    10 deny   192.168.0.1
    20 permit any
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip acce
R1(config)#ip access-list sta
R1(config)#ip access-list standard 1
R1(config-std-nacl)#15 per
R1(config-std-nacl)#15 permit deny 192.168.0.3
Translating "deny"
                              ^
% Invalid input detected at '^' marker.

R1(config-std-nacl)#15 permit deny host 192.168.0.3
Translating "deny"
                              ^
% Invalid input detected at '^' marker.

R1(config-std-nacl)#15 deny host 192.168.0.3
R1(config-std-nacl)#^Z
R1#
*Apr  1 10:54:51.764: %SYS-5-CONFIG_I: Configured from console by console
R1#sh acc
R1#sh access-li
R1#sh access-lists 1
Standard IP access list 1
    10 deny   192.168.0.1
    15 deny   192.168.0.3
    20 permit any
R1#sh access-lists WEB-FILTER
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    20 permit ip any any (19 matches)
    30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip access
R1(config)#ip access-list exten
R1(config)#ip access-list extended WEB-FILTER
R1(config-ext-nacl)#15 deny tcp
R1(config-ext-nacl)#15 deny tcp hos
R1(config-ext-nacl)#15 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1(config-ext-nacl)#^Z
R1#
*Apr  1 10:57:28.684: %SYS-5-CONFIG_I: Configured from console by console
R1#sh acc
R1#sh access-li
R1#sh access-lists WEB-FILTER
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    20 permit ip any any (19 matches)
    30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www

not works if duplicate statement exists.

add another statement.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip access-list ext
R1(config)#ip access-list extended WEB-FILTER
R1(config-ext-nacl)#15 permi
R1(config-ext-nacl)#16 permit tcp host 192.168.0.3 host 192.168.4.1 eq www
R1(config-ext-nacl)#do sh ip access-list WEB-FILTER
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    16 permit tcp host 192.168.0.3 host 192.168.4.1 eq www
    20 permit ip any any (19 matches)
    30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www

mistake not permit, correct keyword deny. Update.

R1(config-ext-nacl)#16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www
% Duplicate sequence number

refused…

R1(config-ext-nacl)#no 16
R1(config-ext-nacl)#do sh ip access-list WEB-FILTER
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    20 permit ip any any (19 matches)
    30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1(config-ext-nacl)#16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www
R1(config-ext-nacl)#do sh ip access-list WEB-FILTER
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www
    20 permit ip any any (19 matches)
    30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
root@Python,Go,Perl,PHP-3:~# telnet 192.168.4.1 80
Trying 192.168.4.1...
telnet: Unable to connect to remote host: No route to host

counter up!

R1(config-ext-nacl)#do sh ip acc WEB-FILTER
% Ambiguous command:  "do sh ip acc WEB-FILTER"
R1(config-ext-nacl)#do sh ip acce WEB-FILTER
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (1 match)
    20 permit ip any any (19 matches)
    30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1(config-ext-nacl)#do sh ip acce WEB-FILTER
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (5 matches)
    20 permit ip any any (19 matches)
    30 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
R1(config-ext-nacl)#exit
R1(config)#ip acce
% Incomplete command.

R1(config)#ip acce WEB-FIL
R1(config)#ip acce WEB-FILTER
                   ^
% Invalid input detected at '^' marker.

R1(config)#ip access
R1(config)#ip acce ext WEB-FILTER
R1(config-ext-nacl)#no 30
R1(config-ext-nacl)#15 deny tcp host 192.168.0.2 host 192.168.4.1 eq 80
R1(config-ext-nacl)#do sh ip acce WEB-FILTER
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    15 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
    16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (5 matches)
    20 permit ip any any (19 matches)

Delete ACL statements

like above.

wrong remove method, this method remove all acl statements!

R1#sh his | in in
  sh ip int gig0/2
  sh ip int gig0/2 | in access
  sh run | in access-list
  sh run | in (access-list|permit|deny)
  sh his | in in
R1#sh run | in (access-list|permit|deny)
ip access-list standard ONE-DROP
 deny   192.168.0.1
 permit 192.168.0.0 0.0.0.255
ip access-list extended WEB-FILTER
 deny   tcp host 192.168.0.1 host 192.168.4.1 eq www
 deny   tcp host 192.168.0.2 host 192.168.4.1 eq www
 deny   tcp host 192.168.0.3 host 192.168.4.1 eq www
 permit ip any any
access-list 1 deny   192.168.0.1
access-list 1 deny   192.168.0.3
access-list 1 permit any
access-list 2 deny   192.168.0.1
access-list 2 permit any
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www

R1#show access-lists
Standard IP access list 1
    10 deny   192.168.0.1
    15 deny   192.168.0.3
    20 permit any
Standard IP access list 2
    10 deny   192.168.0.1
    20 permit any
Standard IP access list ONE-DROP
    10 deny   192.168.0.1
    20 permit 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 100
    10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list 101
    10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
Extended IP access list WEB-FILTER
    10 deny tcp host 192.168.0.1 host 192.168.4.1 eq www (1 match)
    15 deny tcp host 192.168.0.2 host 192.168.4.1 eq www
    16 deny tcp host 192.168.0.3 host 192.168.4.1 eq www (5 matches)
    20 permit ip any any (19 matches)
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no ip acce
R1(config)#no ip access-list stan
R1(config)#no ip acce
R1(config)#no acces
R1(config)#no access-list 1 deny host 192.168.0.3
R1(config)#^Z
R1#show access-lists
*Apr  1 11:14:06.037: %SYS-5-CONFIG_I: Configured from console by console
R1#show access-lists 1
R1#sh run | in (access-list|permit|deny)
ip access-list standard ONE-DROP
 deny   192.168.0.1
 permit 192.168.0.0 0.0.0.255
ip access-list extended WEB-FILTER
 deny   tcp host 192.168.0.1 host 192.168.4.1 eq www
 deny   tcp host 192.168.0.2 host 192.168.4.1 eq www
 deny   tcp host 192.168.0.3 host 192.168.4.1 eq www
 permit ip any any
access-list 2 deny   192.168.0.1
access-list 2 permit any
access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www
access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 192.168.4.1 eq www

sadly, access list 1 statements all removed.

correct syntax is following:

access-list 1 permit host 192.168.0.1
access-list 1 permit host 192.168.0.2
access-list 1 permit host 192.168.0.3
access-list 1 permit host 192.168.0.4
access-list 1 permit host 192.168.0.5
R1(config)#access-list 1 permit host 192.168.0.1
R1(config)#access-list 1 permit host 192.168.0.2
R1(config)#access-list 1 permit host 192.168.0.3
R1(config)#access-list 1 permit host 192.168.0.4
R1(config)#access-list 1 permit host 192.168.0.5
R1(config)#do sh acce 1
% Ambiguous command:  "do sh acce 1"
R1(config)#do sh access-lists 1
Standard IP access list 1
    10 permit 192.168.0.1
    20 permit 192.168.0.2
    30 permit 192.168.0.3
    40 permit 192.168.0.4
    50 permit 192.168.0.5
R1(config)#ip access-list standa
R1(config)#ip access-list standard 1
R1(config-std-nacl)#no 30
R1(config-std-nacl)#exit
R1(config)#do sh ip access
R1(config)#do sh access
R1(config)#do sh access-lis
R1(config)#do sh access-lists 1
Standard IP access list 1
    10 permit 192.168.0.1
    20 permit 192.168.0.2
    40 permit 192.168.0.4
    50 permit 192.168.0.5

References

tech/network/cisco/show-edit-acl/show-edit-acl.txt · Last modified: 2020/08/30 10:30 by wnoguchi