Mục lục bài viết
Cập Nhật: 2022-03-10 04:02:13,Bạn Cần tương hỗ về How to delete extended access list. Bạn trọn vẹn có thể lại Comment ở phía dưới để Tác giả được tương hỗ.
Before continuing, refer Introduction to Access Control Lists (ACLs) lesson , if you are not familiar with Access Contol Lists.
Tóm lược đại ý quan trọng trong bài
Refer Standard Access Control Lists lesson if you are not familiar with Standard Access Control List (ACLs) configuration IOS commands.
Refer Extended Access Control Lists (ACLs) lesson if you are not familiar with Extended Access Control List configuration IOS commands.
Refer Named Access Control Lists (ACLs) if you are not familiar with Named Access Control Lists configuration IOS commands.
Refer Extended Named Access Control Lists (ACLs) lesson if you are not familiar with Extended Named Access Control List configuration IOS commands.
You can view an existing Access Control List (ACL) using the “show ip access-lists” IOS command as shown below.
Router01>enable
Router01#show ip access-lists BLOCK_WS03
Extended IP access list BLOCK_WS03
10 deny tcp host 172.16.0.12 host 172.20.0.5 eq www
20 permit ip any any
Router01#
Now you can add a new entry to deny the Workstation03 (IP Address – 172.16.0.12/16) in above Named Extended Access Control List (ACL name BLOCK_WS03), from accessing the File Server (IP Address – 172.20.0.6/16) using FTP as shown below.
Router01>enable
Router01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router01(config)#ip access-list extended BLOCK_WS03
Router01(config-ext-nacl)#15 deny tcp host 172.16.0.12 host 172.20.0.6 eq ftp
Router01(config-ext-nacl)#
Router01(config)#exit
Router01#
To view the altered Named Access Control List (ACL name BLOCK_WS03) by running the below command.
Router01>enable
Router01#show access-lists
Extended IP access list BLOCK_WS03
10 deny tcp host 172.16.0.12 host 172.20.0.5 eq www
15 deny tcp host 172.16.0.12 host 172.20.0.6 eq ftp
20 permit ip any any
Router01#
You can remove an individual entry from an existing ACL by just using the keyword “no” and the sequence number of the line you wish to delete:
Router01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router01(config)#ip access-list extended BLOCK_WS03
Router01(config-ext-nacl)#no 20
Router01(config-ext-nacl)#exit
Router01#
You can automatically re-adjust the changed Named Access Control sequence numbers using the “resequence” keyword as shown below.
Router01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router01(config)#ip access-list resequence BLOCK_WS03 10 10
Router01(config)#exit
Router01#
Let’s say I have a access-list 1 with 5 permits.
And I would like to delete the third permit listing.
I know that I can simply do “no 30”
However, can I confirm that I can no access-list 1 permit host 192.168.1.1 command in global configuration mode. Or no access-list 1 global configuration command, and then re-enter the other 4 access-list?
3
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader’s understanding that there’s no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting’s information is solely at reader’s own risk.
Liability Disclaimer
In no sự kiện shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting’s information even if Author has been advised of the possibility of such damage.
Posting
Packet Tracer has had a history of not implementing all IOS features correctly; might be the case here too. What version are you using?
To create and modify extended access lists on a WAAS device for controlling access to interfaces or applications, use the ip access-list extended global configuration command. To disable an extended access list, use the no form of this command.
ip access-list extended acl-num
no ip access-list extended acl-num
extended
Enables extended ACL configuration mode. The CLI enters the extended ACL configuration mode in which all subsequent commands apply to the current extended access list. The (config-ext-nacl) prompt appears:
WAE(config-ext-nacl)#
acl-name
Access list to which all commands entered from ACL configuration mode apply, using an alphanumeric string of up to 30 characters, beginning with a letter.
acl-num
Access list to which all commands entered from access list configuration mode apply, using a numeric identifier. For extended access lists, valid values range from 100 to 199.
An access list drops all packets unless you configure at least one permit entry.
global configuration
application-accelerator
central-manager
Within ACL configuration mode, you can use the editing commands (list, delete, and move) to display the current condition entries, to delete a specific entry, or to change the order in which the entries will be evaluated. To return to global configuration mode, enter the exit command at the ACL configuration mode prompt.
To create an entry, use a deny or permit keyword and specify the type of packets that you want the WAAS device to drop or to accept for further processing. By default, an access list denies everything because the list is terminated by an implicit deny any entry. Therefore, you must include at least one permit entry to create a valid access list.
Note ACLs that are defined on a router take precedence over the ACLs that are defined on the WAE. ACLs that are defined on a WAE take precedence over the WAAS application definition policies that are defined on the WAE.
After creating an access list, you can include the access list in an access group using the access-group command, which determines how the access list is applied. You can also apply the access list to a specific application using the appropriate command. A reference to an access list that does not exist is the equivalent of a permit any condition statement.
To create an extended access list, enter the ip access-list extended global configuration command. Identify the new or existing access list with a name up to 30 characters long beginning with a letter, or with a number. If you use a number to identify an extended access list, it must be from 100 to 199
Note You must use a standard access list for providing access to the SNMP server or to the TFTP gateway/server. However, you can use either a standard access list or an extended access list for providing access to the WCCP application.
To allow connections from a specific host, use the permit host source-ip option and replace source-ip with the IP address of the specific host.
To allow connections from a specific network, use the permit host source-ip wildcard option. Replace source-ip with a network ID or the IP address of any host on the network that you want to specify. Replace wildcard with the dotted decimal notation for a mask that is the reverse of a subnet mask, where a 0 indicates a position that must be matched and a 1 indicates a position that does not matter. For instance, the wildcard 0.0.0.255 causes the last eight bits in the source IP address to be ignored. Therefore, the permit 192.168.1.0 0.0.0.255 entry allows access from any host on the 192.168.1.0 network.
After you identify the extended access list, the CLI enters the extended ACL configuration mode and all subsequent commands apply to the specified access list.
WAE(config)# ip access-list extended testextacl
WAE(config-ext-nacl)#
The following example shows how to create an access list on the WAAS device. You create this access list to allow the WAAS device to accept all web traffic that is redirected to it but limit host administrative access using SSH:
WAE(config)# ip access-list extended testextacl
WAE(config-ext-nacl)# permit tcp any any eq www
WAE(config-ext-nacl)# permit tcp host 10.1.1.5 any eq ssh
WAE(config-ext-nacl)# exit
The following example shows how to activate the access list for an interface:
WAE(config)# interface gigabitethernet 1/0
WAE(config-if)# ip access-group testextacl in
WAE(config-if)# exit
The following example shows how this configuration appears when you enter the show running-configuration command:
…
!
interface GigabitEthernet 1/0
ip address 10.1.1.50 255.255.0.0
ip access-group testextacl in
exit
. . .
ip access-list extended testextacl
permit tcp any any eq www
permit tcp host 10.1.1.5 any eq ssh
exit
. . .
clear arp-cache
show ip access-list
(config-if) ip access-group
(config-ext-nacl) deny
(config-ext-nacl) delete
(config-ext-nacl) list
(config-ext-nacl) move
(config-ext-nacl) permit
To delete a line from the extended ACL, use the delete extended ACL configuration command.
delete line-num
line-num
Entry at a specific line number in the access list.
No default behavior or values.
extended ACL configuration mode
application-accelerator
central-manager
The following example shows how to delete line 10 from the extended ACL testextacl:
WAE(config)# ip access-list extended testextacl
WAE(config-ext-nacl)# delete 10
(config-ext-nacl) list
(config-ext-nacl) move
To add a line to an extended access list that specifies the type of packets that you want the WAAS device to drop, use the deny extended ACL configuration command. To add a condition to the extended ACL, note that the options depend on the chosen protocol.
For IP, use the following syntax to add a condition:
[insert line-num] deny gre any any
no deny proto-num any any
For TCP, use the following syntax to add a condition:
[insert line-num] deny tcp host source-ip [operator port [port]] any [operator port [port]] [established]
no deny tcp source-ip [wildcard] [operator port [port]]
dest-ip [wildcard] [operator port [port]] [established]
For UDP, use the following syntax to add a condition:
[insert line-num] deny udp source-ip [wildcard] [operator port [port]] host dest-ip [operator port [port]]
no deny udp source-ip [wildcard] [operator port [port]]
host dest-ip [operator port [port]]
For ICMP, use the following syntax to add a condition:
[insert line-num] deny icmp source-ip [wildcard]
host dest-ip [icmp-type [code] | icmp-msg]
no deny icmp source-ip [wildcard] any [icmp-type [code] | icmp-msg]
insert line-num
(Optional) Specifies to insert the conditions following the specified line number into the access list.
gre
Specifies to match packets using the Generic Routing Encapsulation protocol.
icmp
Specifies to match ICMP packets.
tcp
Specifies to match packets using the TCP protocol.
udp
Specifies to match packets using the UDP protocol.
ip
Specifies to match all IP packets.
proto-num
IP protocol number.
source-ip
Source IP address. The number of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted-decimal format (for example, 0.0.0.0).
wildcard
(Optional) Wildcard. The notation is in 4-digit, dotted-decimal format. Tge bits to match are identified by a digital value of 0; the bits to ignore are identified by a 1.
For extended IP ACLs, the wildcard parameter of the ip access-list command is always optional. If the host keyword is specified for a extended IP ACL, then the wildcard parameter is not allowed.
host source-ip
Specifies to match the following IP address.
any
Specifies to match any IP address.
dest-ip
Specifies destination IP address. The number of the network or host to which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format (for example, 0.0.0.0).
operator port
(Optional) Operator to use with specified ports, where lt = less than, gt = greater than, eq = equal to, neq = not equal to, and range = an inclusive range.
The port value is a number (0-65535) or a keyword; two port numbers are required with the range keyword. See the “Usage Guidelines” section for a listing of the UDP and TCP keywords.
established
(Optional) Specifies to match TCP packets with the acknowledgment or reset bits set.
icmp-type
(Optional) Match with ICMP message type (0-255).
code
(Optional) Code type is 0-255.
icmp-msg
(Optional) Match a combination of ICMP message type and code types, as expressed by the keywords shown in the “Usage Guidelines” section.
An access list drops all packets unless you configure at least one permit entry.
extended ACL configuration mode
application-accelerator
central-manager
To create an entry, use a deny or permit keyword and specify the type of packets that you want the WAAS device to drop or to accept for further processing. By default, an access list denies everything because the list is terminated by an implicit deny any entry. You must include at least one permit entry to create a valid access list.
To allow connections from a specific host, use the permit host source-ip option and replace source-ip with the IP address of the specific host.
To allow connections from a specific network, use the permit host source-ip wildcard option. Replace source-ip with a network ID or the IP address of any host on the network that you want to specify. Replace wildcard with the dotted decimal notation for a mask that is the reverse of a subnet mask, where a 0 indicates a position that must be matched and a 1 indicates a position that does not matter. For instance, the wildcard 0.0.0.255 causes the last eight bits in the source IP address to be ignored. The permit 192.168.1.0 0.0.0.255 entry allows access from any host on the 192.168.1.0 network.
For extended IP ACLs, the wildcard parameter is required if the host keyword is not specified.
Use an extended access list to control connections based on the destination IP address or based on the protocol type. You can combine these conditions with information about the source IP address to create more restrictive conditions.
Table 3-1 lists the UDP keywords that you can use with extended access lists.
Table 3-1 UDP Keywords for Extended Access Lists
CLI UDP Keyword Description UDP Port Number
bootpc
Bootstrap Protocol (BOOTP) client
68
bootps
Bootstrap Protocol (BOOTP) server
67
cmm
Cluster Membership Manager service
5787
domain
Domain Name System (DNS)
53
mms
Microsoft Media Server
1755
netbios-dgm
NetBIOS datagram service
138
netbios-ns
NetBIOS name service
137
netbios-ss
NetBIOS session service
139
nfs
Network File Server service
2049
ntp
Network Time Protocol
123
snmp
Simple Network Management Protocol
161
snmptrap
SNMP traps
162
tacacs
Terminal Access Controller Access Control System
49
tftp
Trivial File Transfer Protocol
69
wccp
Web Cache Communication Protocol
2048
Table 3-2 lists the TCP keywords that you can use with extended access lists.
Table 3-2 TCP Keywords for Extended Access Lists
CLI TCP Keyword Description TCP Port Number
domain
Domain Name System
53
exec
Exec (rcp)
512
ftp
File Transfer Protocol
21
ftp-data
FTP data connections (used infrequently)
20
https
Secure HTTP
443
mms
Microsoft Media Server
1755
nfs
Network File System service
2049
ssh
Secure Shell login
22
tacacs
Terminal Access Controller Access Control System
49
telnet
Telnet
23
www
World Wide Web (HTTP)
80
Table 3-3 lists the keywords that you can use to match specific ICMP message types and codes.
Table 3-3 Keywords for ICMP Messages
administratively-prohibited
alternate-address
conversion-error
dod-host-prohibited
dod-net-prohibited
echo
echo-reply
general-parameter-problem
host-isolated
host-precedence-unreachable
host-redirect
host-tos-redirect
host-tos-unreachable
host-unknown
host-unreachable
information-reply
information-request
mask-reply
mask-request
mobile-redirect
net-redirect
net-tos-redirect
net-tos-unreachable
net-unreachable
network-unknown
no-room-for-option
option-missing
packet-too-big
parameter-problem
port-unreachable
precedence-unreachable
protocol-unreachable
reassembly-timeout
redirect
router-advertisement
router-solicitation
source-quench
source-route-failed
time-exceeded
timestamp-reply
timestamp-request
traceroute
ttl-exceeded
unreachable
The following example shows how to create an access list on the WAAS device. You create this access list to allow the WAAS device to accept all web traffic that is redirected to it but limit host administrative access using SSH:
WAE(config)# ip access-list extended testextacl
WAE(config-ext-nacl)# permit tcp any any eq www
WAE(config-ext-nacl)# deny tcp host 10.1.1.5 any eq ssh
WAE(config-ext-nacl)# exit
The following example shows how to activate the access list for an interface:
WAE(config)# interface gigabitethernet 1/0
WAE(config-if)# ip access-group extended testextacl in
WAE(config-if)# exit
The following example shows how this configuration appears when you enter the show running-configuration command:
…
!
interface GigabitEthernet 1/0
ip address 10.1.1.50 255.255.0.0
ip access-group extended testextacl in
exit
. . .
ip access-list extended testextacl
permit tcp any any eq www
permit tcp host 10.1.1.5 any eq ssh
exit
. . .
(config-ext-nacl) delete
(config-ext-nacl) list
(config-ext-nacl) move
(config-ext-nacl) permit
To terminate extended ACL configuration mode and return to the global configuration mode, use the exit command.
exit
This command has no arguments or keywords.
No default behavior or values
all modes
application-accelerator
central-manager
The following example shows how to terminate extended ACL configuration mode and return to global configuration mode:
WAE(config-ext-nacl)# exit
WAE(config)#
To display a list of specified entries within the extended ACL, use the list extended ACL configuration command.
list [start-line-num [end-line-num]]
start-line-num
(Optional) Line number from which the list begins.
end-line-num
(Optional) Last line number in the list.
No default behavior or values.
extended ACL configuration mode
application-accelerator
central-manager
The following example shows how to display a list of specified entries within the extended ACL:
WAE(config)# ip access-list extended testextacl
WAE(config-ext-nacl)# list 25 50
(config-ext-nacl) delete
(config-ext-nacl) move
To move a line to a new position within the extended ACL, use the move extended ACL configuration command.
move old-line-num new-line-num
old-line-num
Line number of the entry to move.
new-line-num
New position of the entry. The existing entry is moved to the following position in the access list.
No default behavior or values.
extended ACL configuration mode
application-accelerator
central-manager
The following example shows how to move a line to a new position within the extended ACL:
WAE(config)# ip access-list extended testextacl
WAE(config-ext-nacl)# move 25 30
(config-ext-nacl) delete
(config-ext-nacl) list
To add a line to an extended access list that specifies the type of packets that you want the WAAS device to accept for further processing, use the permit extended ACL configuration command. To add a condition to the extended ACL, note that the options depend on the chosen protocol.
For IP, use the following syntax to add a condition:
[insert line-num] permit ip source-ip [wildcard] host dest-ip
no permit udp host source-ip any
For TCP, use the following syntax to add a condition:
[insert line-num] permit tcp host source-ip [operator port [port]] host dest-ip [operator port [port]] [established]
no permit tcp source-ip [wildcard] [operator port [port]]
dest-ip [wildcard] [operator port [port]] [established]
For UDP, use the following syntax to add a condition:
[insert line-num] permit udp any [operator port [port]] dest-ip [wildcard] [operator port [port]]
no permit udp any [operator port [port]]
dest-ip [wildcard] [operator port [port]]
For ICMP, use the following syntax to add a condition:
[insert line-num] permit icmp any host dest-ip [icmp-type [code] | icmp-msg]
no permit icmp source-ip [wildcard] any [icmp-type [code] | icmp-msg]
insert line-num
(Optional) Specifies to insert the conditions following the specified line number into the access list.
gre
Specifies to match packets using the Generic Routing Encapsulation protocol.
icmp
Specifies to match ICMP packets.
tcp
Specifies to match packets using the TCP protocol.
udp
Specifies to match packets using the UDP protocol.
ip
Specifies to match all IP packets.
proto-num
IP protocol number.
source-ip
Source IP address. The number of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted-decimal format (for example, 0.0.0.0).
wildcard
(Optional) Wildcard. The notation is in 4-digit, dotted-decimal format. Tge bits to match are identified by a digital value of 0; the bits to ignore are identified by a 1.
For extended IP ACLs, the wildcard parameter of the ip access-list command is always optional. If the host keyword is specified for a extended IP ACL, then the wildcard parameter is not allowed.
host source-ip
Specifies to match the following IP address.
any
Specifies to match any IP address.
dest-ip
Specifies destination IP address. The number of the network or host to which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format (for example, 0.0.0.0).
operator port
(Optional) Operator to use with specified ports, where lt = less than, gt = greater than, eq = equal to, neq = not equal to, and range = an inclusive range.
The port value is a number (0-65535) or a keyword; two port numbers are required with the range keyword. See the “Usage Guidelines” section for a listing of the UDP and TCP keywords.
established
(Optional) Specifies to match TCP packets with the acknowledgment or reset bits set.
icmp-type
(Optional) Match with ICMP message type (0-255).
code
(Optional) Code type is 0-255.
icmp-msg
(Optional) Match a combination of ICMP message type and code types, as expressed by the keywords shown in the “Usage Guidelines” section.
An access list drops all packets unless you configure at least one permit entry.
extended ACL configuration mode
application-accelerator
central-manager
To create an entry, use a deny or permit keyword and specify the type of packets that you want the WAAS device to drop or to accept for further processing. By default, an access list denies everything because the list is terminated by an implicit deny any entry. You must include at least one permit entry to create a valid access list.
To allow connections from a specific host, use the permit host source-ip option and replace source-ip with the IP address of the specific host.
To allow connections from a specific network, use the permit host source-ip wildcard option. Replace source-ip with a network ID or the IP address of any host on the network that you want to specify. Replace wildcard with the dotted decimal notation for a mask that is the reverse of a subnet mask, where a 0 indicates a position that must be matched and a 1 indicates a position that does not matter. For instance, the wildcard 0.0.0.255 causes the last eight bits in the source IP address to be ignored. The permit 192.168.1.0 0.0.0.255 entry allows access from any host on the 192.168.1.0 network.
For extended IP ACLs, the wildcard parameter is required if the host keyword is not specified.
Use an extended access list to control connections based on the destination IP address or based on the protocol type. You can combine these conditions with information about the source IP address to create more restrictive condition.
Table 3-4 lists the UDP keywords that you can use with extended access lists.
Table 3-4 UDP Keywords for Extended Access Lists
CLI UDP Keyword Description UDP Port Number
bootpc
Bootstrap Protocol (BOOTP) client
68
bootps
Bootstrap Protocol (BOOTP) server
67
domain
Domain Name System (DNS)
53
mms
Microsoft Media Server
1755
netbios-dgm
NetBIOS datagram service
138
netbios-ns
NetBIOS name service
137
netbios-ss
NetBIOS session service
139
nfs
Network File System service
2049
ntp
Network Time Protocol
123
snmp
Simple Network Management Protocol
161
snmptrap
SNMP traps
162
tacacs
Terminal Access Controller Access Control System
49
tftp
Trivial File Transfer Protocol
69
wccp
Web Cache Communication Protocol
2048
Table 3-5 lists the TCP keywords that you can use with extended access lists.
Table 3-5 TCP Keywords for Extended Access Lists
CLI TCP Keyword Description TCP Port Number
domain
Domain Name System
53
exec
Exec (rcp)
512
ftp
File Transfer Protocol
21
ftp-data
FTP data connections (used infrequently)
20
https
Secure HTTP
443
mms
Microsoft Media Server
1755
nfs
Network File System service
2049
ssh
Secure Shell login
22
tacacs
Terminal Access Controller Access Control System
49
telnet
Telnet
23
www
World Wide Web (HTTP)
80
Table 3-6 lists the keywords that you can use to match specific ICMP message types and codes.
Table 3-6 Keywords for ICMP Messages
administratively-prohibited
alternate-address
conversion-error
dod-host-prohibited
dod-net-prohibited
echo
echo-reply
general-parameter-problem
host-isolated
host-precedence-unreachable
host-redirect
host-tos-redirect
host-tos-unreachable
host-unknown
host-unreachable
information-reply
information-request
mask-reply
mask-request
mobile-redirect
net-redirect
net-tos-redirect
net-tos-unreachable
net-unreachable
network-unknown
no-room-for-option
option-missing
packet-too-big
parameter-problem
port-unreachable
precedence-unreachable
protocol-unreachable
reassembly-timeout
redirect
router-advertisement
router-solicitation
source-quench
source-route-failed
time-exceeded
timestamp-reply
timestamp-request
traceroute
ttl-exceeded
unreachable
The following example shows how to create an access list on the WAAS device. You create this access list to allow the WAAS device to accept all web traffic that is redirected to it but limit host administrative access using SSH:
WAE(config)# ip access-list extended testextacl
WAE(config-ext-nacl)# permit tcp any any eq www
WAE(config-ext-nacl)# permit tcp host 10.1.1.5 any eq ssh
WAE(config-ext-nacl)# exit
The following example shows how to activate the access list for an interface:
WAE(config)# interface gigabitethernet 1/0
WAE(config-if)# ip access-group example in
WAE(config-if)# exit
The following example shows how this configuration appears when you enter the show running-configuration command:
…
!
interface GigabitEthernet 1/0
ip address 10.1.1.50 255.255.0.0
ip access-group testextacl in
exit
. . .
ip access-list extended testextacl
permit tcp any any eq www
permit tcp host 10.1.1.5 any eq ssh
exit
. . .
(config-ext-nacl) delete
(config-ext-nacl) deny
(config-ext-nacl) list
(config-ext-nacl) move
Reply
9
0
Chia sẻ
– Một số Keyword tìm kiếm nhiều : ” Video full hướng dẫn How to delete extended access list tiên tiến và phát triển nhất , Share Link Down How to delete extended access list “.
Bạn trọn vẹn có thể để lại phản hồi nếu gặp yếu tố chưa hiểu nha.
#delete #extended #access #list How to delete extended access list