Friday, June 10, 2011

Cisco Access List Sequencing

How many times have you needed to add a line to an access list on a production device, but when you add the line it goes to the bottom and you need it higher in the access list sequence to work properly?

Access lists are processed from the top down. Let's say you are using access list 199 in the below example:
access-list 199 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.1
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.2
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

You would like to add a line to the access list that will deny access to the 192.168.10.3 host. You enter this line in your config:

access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.3

When you do a show run the access-list looks like this:

access-list 199 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.1
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.2
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.3

If the access list processes from the top down and stops on the first match you can see that your new entry will never apply because the traffic will match the permit line. Your new line will never be used.

This is a production device and more specifically this access list is used as part of your VPN configuration. That means creating a new access list such as access list 200 and switching it over will break your connection. So how do we re-order the access list so we can get a new rule in there with out breaking our connection.

Here you go:

1. Type "show access-list 199" You will get something like this:

Router1#show access-lists 199
Extended IP access list 199
    10 deny ip 192.168.1.0 0.0.0.255 10.16.0.0 0.0.255.255 (2510369 matches)
    20 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.1
    30 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.2 (53699 matches)
    40 permit ip 192.168.1.0 0.0.0.255 any (7340 matches)
    50 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.3 (6 matches)

The highlighted data is what we are looking for. We can see this is an "extended" access list. You may also see "standard" here as well. This will matter when it comes to the syntax on typing our new rules in.

The numbers highlighted are sequence numbers. There are commands you can issue to change these numbers beginning in IOS 12.2 (15) T and 12.3 (2T), but you can typically get the job done without re-sequencing. 

*************NOTE*************
As a side note if your IOS is late enough you can re-sequence with this command "ip access-list resequence (access-list name) (starting number) (increment)" For example:
 "ip access-list resequence 199 10 2"

If I ran the resequence first you would see an output like this:

Router1#show access-lists 199
Extended IP access list 199
    10 deny ip 192.168.1.0 0.0.0.255 10.16.0.0 0.0.255.255 (2510369 matches)
    12 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.1
    14 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.2 (53699 matches)
    16 permit ip 192.168.1.0 0.0.0.255 any (7340 matches)
    18 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.3 (6 matches)

Notice our sequence started with 10 and incremented by 2 just like our command said. In the real world I would leave more space. By default cisco starts with 10 and increments by 10.
******************************

Now, back on track.

2. Go into "Configure Terminal" mode and type "ip access-list extended 199" 

*****NOTE*****
If you are using a "standard" access list from the previous show command you will need to substitute the word "extended" with the word "standard". The syntax in the next step will depend on which type you are using. Most of the time you see extended access-lists so that is the example I am going to walk you through. 
***************
If you did everything right you should have a prompt that looks something like this:

Router1(config-ext-nacl)#

3. Enter your new rule with a sequence number in front of it. For Example:

"35 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.3"

Based on our original access-list (before the re-sequence example) when you enter "35" as the sequence number it will give you an access list that looks like this:

Router1#show access-lists 199
Extended IP access list 199
    10 deny ip 192.168.1.0 0.0.0.255 10.16.0.0 0.0.255.255 (2510369 matches)
    20 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.1
    30 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.2 (53699 matches)
    35 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.3 (6 matches)
    40 permit ip 192.168.1.0 0.0.0.255 any (7340 matches)

Notice the new rule is now on sequence 35 and your rule will apply! If you do a "show run" it will look like this:

access-list 199 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.1
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.2
access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.3
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

*****NOTE*****
As long as you have a prompt that means you are editing the access list 
ie:Router1(config-ext-nacl)#

You can use the "no" command to remove lines based on sequence number. For example:

"no 35 deny ip 192.168.1.0 0.0.0.255 host 192.168.18.3" would remove our new line. Please BE CAREFUL if you are not in the access list prompt and you type:

"no access-list 199 deny   ip 192.168.1.0 0.0.0.255 host 192.168.10.3" you will remove the entire access list 199!
**************

Now you know how to re-sequence you access lists without bringing anything down.






No comments:

Post a Comment