ISCW Notes – Access List Resequencing

November 8, 2009
By Aaron Conaway

I don’t know if this really pertains to the ISCW test per se, but this is something I learned in my class last week.  I’m sure I should have learned this years ago, but, alas, I didn’t.

Access lists get messy.   You build one, apply it to an interface, and think all is well.  Then, ask for more access, so you may have to insert new entries between existing lines.  Your security team may ask you to deny access from a host while allowing it from others.  The next thing you know, you ACL looks something like this.

Router#sh access-lists
Extended IP access list MyACL
5 deny tcp host 192.168.0.38 any eq www
6 deny tcp host 192.168.0.39 any eq www
10 permit tcp 192.168.0.0 0.0.0.255 any eq www
15 deny tcp host 192.168.0.39 any eq 443
17 deny tcp host 192.168.0.85 any eq 443
20 permit tcp 192.168.0.0 0.0.0.255 any eq 443
30 deny ip any any log

That looks horrible, doesn’t it?  The sequence numbers are all out of whack, and you may run out of head room if you have to insert more lines.  To quickly clean up your ACL, you can run the ip access-list resequence command.

Router(config)#ip access-list resequence MyACL 10 10

This command will take our example ACL and resequence it starting at 10 and incrementing 10 for each line.  You can start at any number you want (within reason) and increment the same (within reason again).  Using 10 and 10 seems pretty universal, so, once you run that command, your ACL looks like this.

Router#sh access-list
Extended IP access list MyACL
10 deny tcp host 192.168.0.38 any eq www
20 deny tcp host 192.168.0.39 any eq www
30 permit tcp 192.168.0.0 0.0.0.255 any eq www
40 deny tcp host 192.168.0.39 any eq 443
50 deny tcp host 192.168.0.85 any eq 443
60 permit tcp 192.168.0.0 0.0.0.255 any eq 443
70 deny ip any any log

Cool, eh?  I think I’ll spend the week doing this to all our routers at work.

Send any holiday turkeys questions my way.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

Download article as PDF

4 Responses to ISCW Notes – Access List Resequencing

  1. Internets of Interest:6th Nov 09-​​9th Nov 09 | My Etherealmind on November 9, 2009 at 12:42

    [...] Aaron’s Worthless Words » Blog Archive » ISCS Notes – Access List Resequencing –This is why I read blogs. It helps to learn things that you don’t oth­er­wise find out about. Aaaron talks about the ACL renum­ber­ing with an IOS CLI trick. [...]

  2. Tom on November 12, 2009 at 09:31

    One other note when using the resequencing – it can sometimes mess up the positioning of ACL remarks. With long ACLs, this can be a headache. It is a great option, though.

  3. Doug Kenline on December 25, 2009 at 23:30

    Right on. Thanks.

  4. Rofi Neron on December 28, 2009 at 11:25

    this is the cisco page with all the options:
    http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Calendar

November 2009
S M T W T F S
« Oct   Dec »
1234567
891011121314
15161718192021
22232425262728
2930  

Switch to our mobile site