Thursday, October 22, 2009

Tip-of-day: ip access-list resequence

Hi all,

today's trick is access-list resequence.

Consider an access-list with ugly sequence numbers, maybe derived from several configuration changes, eg:


R6# sh access-lists
Extended IP access list test
1 permit tcp any any eq www
2 permit tcp any any eq 443
3 permit tcp any any eq domain
4 permit tcp 172.16.0.0 0.0.255.255 any eq telnet
5 permit tcp 172.16.0.0 0.0.255.255 any eq ssh
6 deny ip any any

R6#sh run | sec access-list
ip access-list extended test
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq domain
permit tcp 172.16.0.0 0.0.255.255 any eq telnet
permit tcp 172.16.0.0 0.0.255.255 any eq 22
deny ip any any


If I have to modify it, the "old times" method was to remove acl from interfaces, delete it, recreate it and then reapply on interfaces ... but this is an extended acl, you can insert and modify statements since they have sequence numbers.

In this case, as you can see, there's no space between sequence numbers, so today's trick is to resequence the acl with the "ip access-list resequence" command.
( see "Refining an IP Access List" )

Let's try it

R6#sh access-lists
Extended IP access list test
1 permit tcp any any eq www
2 permit tcp any any eq 443
3 permit tcp any any eq domain
4 permit tcp 172.16.0.0 0.0.255.255 any eq telnet (394 matches)
5 permit tcp 172.16.0.0 0.0.255.255 any eq 22
6 deny ip any any (24 matches)

R6# conf t
R6(config)#ip access-list resequence test ?
<1-2147483647> Starting Sequence Number

R6(config)#ip access-list resequence test 10 ?
<1-2147483647> Step to increment the sequence number

R6(config)#ip access-list resequence test 10 10 ?
< cr >

R6(config)#ip access-list resequence test 10 10
R6(config)#do sh ip access-lists test
Extended IP access list test
10 permit tcp any any eq www
20 permit tcp any any eq 443
30 permit tcp any any eq domain
40 permit tcp 172.16.0.0 0.0.255.255 any eq telnet (496 matches)
50 permit tcp 172.16.0.0 0.0.255.255 any eq 22
60 deny ip any any (24 matches)
R6(config)#


et voila', named access-list ready to be modified ;-)

Marco

2 comments:

Oliver said...

ma quante ne saiiii ;) ? non avevo mai sentito che si potesse fare sta roba!

Marco Rizzi said...

;-) ... e ne ho in serbo altre fortissime ! come diceva Elio.. ;-)))