Hi,
This is normal behavior of IOS and there is not much you can do to change this.
The best way to remove lines from an access-list is to copy the whole list to a
text file, remove the access list in the router, then paste back the access
list minus the lines you wanted to delete.
There is also no way to add an additional line to the middle of a list or
replace an existing one, please see above the modify.
The problem regarding the syslog server and the file size, One way to stop the
file growing is to enable fast switching on the interface the access list is
applied to, this way only the first packet in each flow of traffic will match
the list and be logged. Because only the first packet in the flow will be
processed switched and match the ACL, all following packets will follow the
fast path though the router, and will not cause the ACL to log an message.
Rich
On Feb 2, 1:09pm, Sim, CT (Chee Tong) chatted about:
> Subject:why delete a access-list entry will delete all the entry
> Dear all,
>
> 1) I was trying to log a access-list counter to the syslog server, so I type
>
>
> router(config)#access-list 100 tcp any any eq www log
> but it doesn't delete the original access-list and it create two entries one
> with log in behind and one without.
>
> But when I delete the entry
> router(config)#no access-list 100 tcp any any eq www log
> it delete ALL my access-list 100 entry !!! why..??? then how to delete only
> one entry
>
> access-list 100 permit tcp any any eq www
> access-list 100 permit tcp any any eq www log
> access-list 100 permit tcp any eq www any
> access-list 100 permit tcp any any eq 5100
> access-list 100 permit tcp any eq 5100 any
> access-list 100 permit udp any any eq domain
> access-list 100 permit udp any eq domain any
> access-list 100 permit tcp any eq 3000 any
> access-list 100 permit udp any eq 3000 any
> access-list 100 permit tcp any any eq 3000
> access-list 100 permit udp any any eq 3000
> access-list 100 permit tcp any any eq 4040
> access-list 100 permit tcp any any eq 6080
> access-list 100 permit tcp any any range 8194 8294
> access-list 100 permit udp any any range 48129 48192 log
> access-list 100 permit udp any eq 6080 any
> access-list 100 permit udp any eq 4040 any
>
> 2)(OPTIONAL)
> After I log the access-list counter to the syslog server, I found the file
> in the syslog in very big, there are too many many entry in the file, 1
> packet will create one entry like
>
> Feb 2 15:50:22 57.198.165.240 5343: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.171(48130) -> 192.168.3.149(48130), 1 packet
> Feb 2 15:50:33 57.198.165.240 5344: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.173(48130) -> 192.168.3.133(48130), 1 packet
> Feb 2 15:50:43 57.198.165.240 5345: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.173(48130) -> 192.168.3.153(48130), 1 packet
> Feb 2 15:51:13 57.198.165.240 5346: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.173(48130) -> 192.168.3.112(48130), 1 packet
> Feb 2 15:51:23 57.198.165.240 5347: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.173(48130) -> 192.168.3.140(48130), 1 packet
> Feb 2 15:51:33 57.198.165.240 5348: 16w4d: %SEC-6-IPACCESSLOGP: list 100
> permitted udp 19
> 9.105.182.23(48129) -> 192.168.3.139(48129), 1 packet
>
> How to log it as s summary like
>
> RBFW2514#sh access-list
> Standard IP access list 1
> permit any
> Extended IP access list 100
> permit tcp host 199.105.182.86 eq 8292 host 192.168.3.133 eq 8277 (32930
> matches)
> permit udp host 199.105.182.173 eq 48130 host 192.168.3.134 eq 48130
> (389 matches)
> permit tcp host 199.105.182.86 eq 8292 host 192.168.3.169 eq 8277 (11972
> matches)
> permit udp host 199.105.182.23 eq 48129 host 192.168.3.115 eq 48129 (2
> matches)
> permit tcp host 199.105.182.189 eq 8194 host 192.168.3.119 eq 8198 (8603
> matches)
> permit tcp host 199.105.182.189 eq 8194 host 192.168.3.133 eq 8197
> (15343 matches)
> permit tcp host 199.105.182.190 eq 8194 host 192.168.3.119 eq 8201 (8365
> matches)
>
> ==================================================================
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
> de afzender direct te informeren door het bericht te retourneren.
> ==================================================================
> The information contained in this message may be confidential
> and is intended to be exclusively for the addressee. Should you
> receive this message unintentionally, please do not use the contents
> herein and notify the sender immediately by return e-mail.
>
>
> ==================================================================
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>-- End of waffle from Sim, CT (Chee Tong)
--
*** Please copy your emails to [EMAIL PROTECTED] ***
#-----------------------------------------------------------------------#
# .. .. | Richard Gallagher | Office:+32 2 704 5000 #
# || || | Euro-CATS | Direct:+32 2 704 5421 #
# || || | Cisco Systems Belgium | Fax: +32 2 704 6000 #
# |||| |||| | Pegasus Park | email: [EMAIL PROTECTED] #
#.:||||||:.:||||||:.| De Kleetlaan, 6A | #
# Cisco Systems | BE 1831 Diegem | http://www.cisco.com/tac #
#-----------------------------------------------------------------------#
"Normal people believe that if it ain't broke, don't fix it. Engineers
believe that if it ain't broke, it doesn't have enough features yet."
Check out this link: http://www.cisco.com/warp/customer/63/
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
