In the “old days,” you could add an entry only to the bottom of an ACL. There was no way to specify the position of a line entry within an access list. If you wanted to insert an entry in the middle of an existing list, you had to copy the ACL to a notepad, make your change, remove the existing ACL, and enter your revisions as a new list, basically rebuilding and recompiling the entire ACL.
Cisco changed all that with the introduction of sequence numbers. This IOS feature was originally introduced with 12.2(14)S. With the use of sequence numbers, you can add entries where you want them, delete entries as needed, and reorder your lists. This feature makes managing your ACLs much easier.
Many of you are already familiar with ACL sequence number editing. For those of you who have not tried it yet, check out this example.
Let’s walk through just how easy this process has become. In this example, we’ll look at an existing ACL, add a line, resequence the list, and then delete a line. We’ll do all this while the ACL is actively applied to an interface. For this example, I’m using a simple extended ACL, but these concepts can be applied to other ACLs as well.
Here is the pertinent part of a show run command:
interface Ethernet0/0
ip access-group MYTESTACL in
ip access-list extended MYTESTACL
permit ip 10.10.10.0 0.0.0.255 any
permit icmp 10.10.10.0 0.0.0.255 any
deny ip 10.10.20.0 0.0.0.255 any
permit tcp 10.10.30.0 0.0.0.255 host 192.168.87.65 eq www
As you can see, the sequence numbers are not displayed in the router running configuration. However, a show access-list command reveals the line entry sequence number information.
router#sh access-list
Extended IP access list MYTESTACL
10 permit ip 10.10.10.0 0.0.0.255 any
20 permit icmp 10.10.10.0 0.0.0.255 any
30 deny ip 10.10.20.0 0.0.0.255 any
40 permit tcp 10.10.30.0 0.0.0.255 host 192.168.87.65 eq www
Now that we have this info, we can insert a new line where we need it, without disturbing the existing ACL. In this case, we’ll insert a new permit statement at sequence number 25. Note the first item in the statement is the new sequence number.
router#conf t
router(config)#ip access-list extended MYTESTACL
router(config-ext-nacl)#25 permit tcp host 10.10.20.5 host 192.168.87.65 eq www
Here is the resulting change:
router#sh access-list MYTESTACL
Extended IP access list MYTESTACL
10 permit ip 10.10.10.0 0.0.0.255 any
20 permit icmp 10.10.10.0 0.0.0.255 any
25 permit tcp host 10.10.20.5 host 192.168.87.65 eq www (**note new line)
30 deny ip 10.10.20.0 0.0.0.255 any
40 permit tcp 10.10.30.0 0.0.0.255 host 192.168.87.65 eq www
Now let’s resequence this ACL with the following statement. The variables after the ACL name are the starting sequence number I want to use and the increment value I want to use.
router(config)#ip access-list resequence MYTESTACL 100 20
Here is the resulting show access-list command:
router#sh access-lists MYTESTACL
Extended IP access list MYTESTACL
100 permit ip 10.10.10.0 0.0.0.255 any
120 permit icmp 10.10.10.0 0.0.0.255 any
140 permit tcp host 10.10.20.5 host 192.168.87.65 eq www
160 deny ip 10.10.20.0 0.0.0.255 any
180 permit tcp 10.10.30.0 0.0.0.255 host 192.168.87.65 eq www
And finally, we’ll delete a line without deleting the entire ACL.
router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#ip access-list extended MYTESTACL
router(config-ext-nacl)#no 120 permit icmp 10.10.10.0 0.0.0.255 any
(**note the sequence number)
router#sh access-list MYTESTACL
Extended IP access list MYTESTACL
100 permit ip 10.10.10.0 0.0.0.255 any
140 permit tcp host 10.10.20.5 host 192.168.87.65 eq www
160 deny ip 10.10.20.0 0.0.0.255 any
180 permit tcp 10.10.30.0 0.0.0.255 host 192.168.87.65 eq www
Note that you don’t have to resequence your list every time you make a change.
No comments:
Post a Comment