Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

acces list help and best way to do acess-list

  

 
Cisco nsp RSS feed   Index | Next | Previous | View Threaded


adriankok2000 at yahoo

Nov 1, 2008, 4:51 AM

Post #1 of 2 (398 views)
Permalink
acces list help and best way to do acess-list
Hi

I have this original access-list in running config

access-list 20 deny 192.168.0.0
access-list 20 permit any
line vty 0 4
access-class 20 in



and want to change to add log "access-list 20 deny
192.168.0.0 0.0.0.255 log"

When I change
router(config)#access-list 20 deny 192.168.0.0
0.0.0.255 log
I realize it can't be changed and have to use "no"
router(config)#no access-list 20 deny 192.168.0.0
0.0.0.255



When I use this command, I almost lost the connection
from anywhere.

My questions

1/ how can I prevent it happens?

2/ What is the best way to do the access-list in "line
vty"?

3/ ls it good to use log in access-list?
Not sure how router busy or not?

thank you









Send instant messages to your online friends http://uk.messenger.yahoo.com
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


lee.e.rian at census

Nov 1, 2008, 8:00 AM

Post #2 of 2 (354 views)
Permalink
Re: acces list help and best way to do acess-list [In reply to]
>1/ how can I prevent it happens?

line vty 0 4
no access-class 20 in


>2/ What is the best way to do the access-list in "line vty"?

How perfect can you be? <grin> If you aren't going to make any mistakes,
create a file on a tftp server that has the
no access-list 20
access-list 20 ...
access-list 20 ...
and do a conf net to get the changes applied.

If make typos as often as I do, remove the access list from the vty,
recreate the access list and, if there's no mistakes, reapply the access
list:
line vty 0 4
no access-class 20 in
no access-list 20
access-list 20 ...
access-list 20 ...
line vty 0 4
access-class 20 in

Even better is using a different access list number. I don't bother for
vtys, but on our ISP link I alternate between access list numbers:
no access-list 21
access-list 21 ...
access-list 21 ...
line vty 0 4
access-class 21 in


>3/ ls it good to use log in access-list?
>Not sure how router busy or not?

It is extra overhead... but it's also a real easy way to see what's being
blocked. Just be sure that the console logging level is low enough so that
stuff doesn't get logged to the console. I like "no logging console" - but
I watch the logs from a syslog server, so YMMV

Regards,
Lee


-----adrian kok wrote: -----

>Hi
>
>I have this original access-list in running config
>
>access-list 20 deny 192.168.0.0
>access-list 20 permit any
>line vty 0 4
>access-class 20 in
>
>
>
>and want to change to add log "access-list 20 deny
>192.168.0.0 0.0.0.255 log"
>
>When I change
>router(config)#access-list 20 deny 192.168.0.0
>0.0.0.255 log
>I realize it can't be changed and have to use "no"
>router(config)#no access-list 20 deny 192.168.0.0
>0.0.0.255
>
>
>
>When I use this command, I almost lost the connection
>from anywhere.
>
>My questions
>
>1/ how can I prevent it happens?
>
>2/ What is the best way to do the access-list in "line
>vty"?
>
>3/ ls it good to use log in access-list?
>Not sure how router busy or not?
>
>thank you

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.