Managing access control lists

Use the Configuration Editor to manage access control lists (ACLs).

Before you begin

Because ACLs can be long and confusing, this procedure addresses how to use command sets to make the following typical ACL-related changes.

  • Add a new ACL to a command set
  • Add a new deny statement to an existing ACL
  • Delete an ACL
  • Use match and replace on an ACL

When adding list commands (such as ACL permit statements), any newly added command is automatically appended to the end of the current list unless you specify otherwise. Use the equals icon to specify the location at which you want a new command added.

The following procedure shows how to match access-list 1 permit host 2.2.2.2 and then add one new permit statement before and two more new permit statements after.

  1. Switch to Match mode (if necessary) and select the type of access-list you are modifying from the drop down lists.
  2. Enter the number of the existing access-list, and then use the Equals icon to indicate you are matching on 1.
  3. Add a permit host 2.2.2.2 to the ACL.
  4. While in Match view, select the command that must exist (permit host 2.2.2.2) and click the equals icon.

    The Configuration Editor should now show the Plus (match) icon next to the number of the ACL (1) as well as the permit statement.

  5. Switch to Replace view and add the new permit statements you wish to be inserted.
  6. Mark each of the new permits as Adds.
  7. Using the up and down arrows if necessary, move the newly added commands to the proper place in relation to the matched command.

    The Modify icon at the top level (ACL) indicates that an existing ACL is being modified. The Equals icons show what must exist for the change to take place (as well as the relative position of the new permit statements). And the Plus icons show what will be added.

About this task

Use this procedure to manage ACLs.

Procedure

  1. Regardless of whether you are adding, modifying, or deleting an ACL, you must start by adding one to your command set.
    1. Click access-list in the configuration catalog.

      The Add access-list prompt is shown.

    2. Click the Plus icon to add.

      A blank access-list is added.

    3. Click the top-most Plus icon to expand the blank access-list.

      A drop-down list is displayed.

  2. To add a new ACL:
    1. After switching to Replace mode (if necessary), select the type of access-list you are adding from the drop down lists.
    2. Enter the number of the new access-list.
    3. Click the Plus icon next to either deny, permit, or remark.
    4. Expand the new statement and complete, at minimum, the required fields. For example, if you specified deny, then expand the deny statement and complete the required fields.
    5. Select the outer most access-list box by clicking the “access-list 1 deny” title (in this example where the deny statement was chosen).

      The title bar should turn blue.

    6. Click the Add icon to mark this new access-list as being added.

      Add icons are added at each level of the ACL, signifying that the entire ACL is an add. A Plus icon is displayed next to each command, indicating that a new ACL is being added.

      When applied, this command set will add the following ACL to each resource (as long as there is not already an access-list 1):

      access-list 1 deny 1.1.1.1
  3. To add to an existing ACL, follow these steps. The example shows how to add a new deny statement to an existing ACL.
    1. After switching to Match mode (if necessary), select the type of access-list to which you are adding from the drop down lists.
    2. Enter the number of the existing access-list, and then use the Equals icon to mark it as match.
    3. Switch to Replace mode and click the Plus icon next to deny.
    4. Expand the new deny statement and complete, at minimum, the required fields.
    5. Select the “deny” box by clicking the “deny” title.

      The title bar should turn blue.

    6. Click the Add icon to mark this new deny statement as being added to the ACL.

      Add icons are shown at the deny level, while modify icons are shown higher up at the ACL level, signifying that the ACL is being modified by adding a new deny statement.

      When applied, this command set will add “deny 1.1.1.1” to “access-list 1” on each resource that has one. If a resource does not contain an “access-list 1,” no changes will be made.

  4. To delete a specific ACL, follow these steps.
    Note: You could also specify a wildcard as the Match value if you wanted to delete all current ACLs.
    1. After switching to Match mode (if necessary), select the type of access-list you are deleting from the drop down lists.
    2. Enter the number of the access-list.

      This value must exist for the ACL in order for the command set to delete the ACL.

    3. Switch to “Replace” view, select the access-list title, and click the Delete icon to mark this command as being deleted.

      A Delete icon is added next to the top-level ACL command, as well as the ACL number (1) indicating that the entire ACL will be deleted.

      When applied, this command set will search for an access-list 1 and delete the entire ACL, regardless of what deny and permit statements it may have.

      -OR-

      While still in Match mode, enter a specific deny or permit value to further narrow the match criteria. Switch to “Replace” view, select the access-list title, and click the Delete icon to mark this command as being deleted.

      A Delete icon is added next to the command.

      When applied, this command set will search for an access-list 1 with the specific permit or deny value you entered, and delete the entire ACL if found.

  5. To use match and replace on a specific ACL, follow these steps.
    Note: In general, you can perform a match/replace as long as both commands are siblings, or at the same level. The command set in the following procedure is designed to add a log statement if an “access-list deny 1.1.1.1” command is found.
    1. Switch to Replace mode (if necessary), and begin entering the values for the commands you will be changing.
    2. Enter the number of the existing access-list (1 in this example).
    3. Click to add a deny statement, and enter the address.
    4. Select the type of access-list you are modifying from the drop down lists.
    5. Select Log, and mark it as being added.
    6. Switch to Match mode.
    7. Select the access-list 1 and use the Equals icon to indicate you are matching on 1.
    8. Select the deny statement and use the Equals icon to mark the address as a match.

      The Modify icon at the top level (ACL) indicates that an existing ACL is being modified. The Equals icons show what must exist for