As we all have learned in our pursuit to CCNA there are many different types of access-list. In reality most commonly used are ip access lists.
Major difference between ip standaard access-list an ip extended access-list is the ability to insert and remove entries within the ACL. When an entry has to be removed with in an standard ACL the entire ASL need to be removed and added again. The latter off course without the ACE which needs removal.
A extended ACL has slightly more steps but has some major benefits. Let say you have the following ACL;
access-list 130 permit ip host 1.1.1.1 host 99.99.99.99 access-list 130 permit ip host 3.3.3.3 any access-list 130 deny ip any any
And the entry “permit ip host 3.3.3.3 any” must be replace with “permit ip host 3.3.3.3 host 99.99.99.99”
The following steps need to be taken are;
- Obtain information about the ‘rule number’
- Insert new ACE
- Remove wrong ACE
- Resequence rule numbers
Obtain rule number information
R4#sh access-lists 130 Extended IP access list 130 10 permit ip host 1.1.1.1 host 99.99.99.99 20 permit ip host 3.3.3.3 any 30 deny ip any any
Insert new ACE
Rule 11 until 19 are free to use. Same goes for 21 until 29. Let use number 15.
R4#conf *Feb 19 13:13:35.871: %SYS-5-CONFIG_I: Configured from console by console R4#conf t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ip access-list extended 130 R4(config-ext-nacl)#15 permit ip host 3.3.3.3 host 99.99.99.99 R4(config-ext-nacl)#end R4# *Feb 19 13:14:24.206: %SYS-5-CONFIG_I: Configured from console by console R4#sh access-lists 130 Extended IP access list 130 10 permit ip host 1.1.1.1 host 99.99.99.99 15 permit ip host 3.3.3.3 host 99.99.99.99 20 permit ip host 3.3.3.3 any 30 deny ip any any
Remove wrong ACE
ACE that needs removal has rule number 20. Removal is as easy as “no 20” within the access-list.
R4#conf t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ip access-list extended 130 R4(config-ext-nacl)#no 20 R4(config-ext-nacl)#exit R4(config)#end *Feb 19 13:18:32.452: %SYS-5-CONFIG_I: Configured from console by console R4#sh ip access-lists 130 Extended IP access list 130 10 permit ip host 1.1.1.1 host 99.99.99.99 15 permit ip host 3.3.3.3 host 99.99.99.99 30 deny ip any any R4#
The rule numbers are somewhat borked. This needs a little repair.
Resequence rule numbers
Repair command is;
ip access-list resequence
R4# *Feb 19 13:22:42.838: %SYS-5-CONFIG_I: Configured from console by console R4#conf t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ip access-list resequence 130 10 10 R4(config)#end R4#sh *Feb 19 13:23:12.473: %SYS-5-CONFIG_I: Configured from console by console R4#sh access-list 130 Extended IP access list 130 10 permit ip host 1.1.1.1 host 99.99.99.99 20 permit ip host 3.3.3.3 host 99.99.99.99 30 deny ip any any R4#
Naturally the most important benefit is that the access-list is applied all the time. In regard of the standard ip access-list; a slight modification results in removing the ACL and re-instating the ACL again. You will never know which traffic passes the interface while working on the access-list.
The same applies for named access-list.
NOTE:
Cisco NEXUS devices have a slight different syntax to resequenceNEXUS-R3(config)# resequence ip access-list some_vlan 10 10
Network Ninja 