Re: why delete a access-list entry will delete all the entry

Tony van Ree Sun, 04 Feb 2001 19:56:40 -0800
Hi,

One needs to be careful when playing with access-lists.  I would recommend creating a 
new access-list with a different number then apllying it to the interface after you 
are satisfied it looks ok.  When adding a new line to an access-list it puts it on the 
bottom of the list.  When deleting a line (no access-list 101 and the rest) you delete 
the access-list.  This is the normal behavior of a Cisco router.  It is a good policy 
never to work on a running access-list.

I also recommend that you creat the new list, save the config, then apply the list.  
This way if your new list locks you out you can restart your router and the previously 
working list will be the running one again.  I further recommend that if the 
access-list is in a remote area that before applying the new list you put a reload in 
3 minutes type command in before applying it.  If you still have access after it is 
applyed remove the reload command.  This way you get the router back in a couple of 
minutes in a failed network.

Teunis
Hobart, Tasmania
Australia


Teunis
On Friday, February 02, 2001 at 05:49:32 PM, Sim. CT (Chee Tong) wrote:

> Dear all,
> 
> 1) I was trying to log a access-list counter to the syslog server, so I type
> 
> 
> router(config)#access-list 100 tcp any any eq www log
> but it doesn't delete the original access-list and it create two entries one
> with log in behind and one without.  
> 
> But when I delete the entry 
> router(config)#no access-list 100 tcp any any eq www log
> it delete ALL my access-list 100 entry !!! why..???  then how to delete only
> one entry
> 
> access-list 100 permit tcp any any eq www
> access-list 100 permit tcp any any eq www log
> access-list 100 permit tcp any eq www any
> access-list 100 permit tcp any any eq 5100
> access-list 100 permit tcp any eq 5100 any
> access-list 100 permit udp any any eq domain
> access-list 100 permit udp any eq domain any
> access-list 100 permit tcp any eq 3000 any
> access-list 100 permit udp any eq 3000 any
> access-list 100 permit tcp any any eq 3000
> access-list 100 permit udp any any eq 3000
> access-list 100 permit tcp any any eq 4040
> access-list 100 permit tcp any any eq 6080
> access-list 100 permit tcp any any range 8194 8294
> access-list 100 permit udp any any range 48129 48192 log
> access-list 100 permit udp any eq 6080 any
> access-list 100 permit udp any eq 4040 any
> 
> 2)(OPTIONAL)
> After I log the access-list counter to the syslog server, I found the file
> in the syslog in very big, there are too many many entry in the file, 1
> packet will create one entry like
> 
> Feb  2 15:50:22 57.198.165.240 5343: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.171(48130) -> 192.168.3.149(48130), 1 packet
> Feb  2 15:50:33 57.198.165.240 5344: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.173(48130) -> 192.168.3.133(48130), 1 packet
> Feb  2 15:50:43 57.198.165.240 5345: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.173(48130) -> 192.168.3.153(48130), 1 packet
> Feb  2 15:51:13 57.198.165.240 5346: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.173(48130) -> 192.168.3.112(48130), 1 packet
> Feb  2 15:51:23 57.198.165.240 5347: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.173(48130) -> 192.168.3.140(48130), 1 packet
> Feb  2 15:51:33 57.198.165.240 5348: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.23(48129) -> 192.168.3.139(48129), 1 packet
> 
> How to log it as s summary like
> 
> RBFW2514#sh access-list
> Standard IP access list 1
>     permit any
> Extended IP access list 100
>     permit tcp host 199.105.182.86 eq 8292 host 192.168.3.133 eq 8277 (32930
> matches)
>     permit udp host 199.105.182.173 eq 48130 host 192.168.3.134 eq 48130
> (389 matches)
>     permit tcp host 199.105.182.86 eq 8292 host 192.168.3.169 eq 8277 (11972
> matches)
>     permit udp host 199.105.182.23 eq 48129 host 192.168.3.115 eq 48129 (2
> matches)
>     permit tcp host 199.105.182.189 eq 8194 host 192.168.3.119 eq 8198 (8603
> matches)
>     permit tcp host 199.105.182.189 eq 8194 host 192.168.3.133 eq 8197
> (15343 matches)
>     permit tcp host 199.105.182.190 eq 8194 host 192.168.3.119 eq 8201 (8365
> matches)
> 
> ==================================================================
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en 
> de afzender direct te informeren door het bericht te retourneren. 
> ==================================================================
> The information contained in this message may be confidential 
> and is intended to be exclusively for the addressee. Should you 
> receive this message unintentionally, please do not use the contents 
> herein and notify the sender immediately by return e-mail.
> 
> 
> ==================================================================
> 
> _________________________________
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> 
> 


--
www.tasmail.com


_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: why delete a access-list entry will delete all the entry

Reply via email to
