IOS ACL Resequencing
- Tony Mattke
- Cisco
- November 23, 2009
This is one of those tricks you wish you learned about 10 years ago, but never did. You know how easy it is to mess up a nice looking access list. You get one setup on the router, and then you end up tinkering with it over the next month and the next thing you know you have the ACL that fell out of the ugly tree and hit every branch on the way down. I have the same issue, actually the other day I was working on some ACLs for a clients VPN configuration when I realized I had forgot to include some entries. So after adding what I needed, I ended up with something like this… ( IP address have been obviously changed to protect the innocent. Ok, honestly, the whole example is just hog wash. I’m way too lazy to actually go lookup the ACL I was working on. )
Extended IP access list VPNc
10 deny tcp any 10.23.4.224 0.0.0.7
20 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.8 eq www
25 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq www
30 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.10 eq www
35 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq www
40 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.8 eq 443
45 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq 443
50 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.10 eq 443
55 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq 443
60 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.2 eq domain
70 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.3 eq domain
80 deny ip any any
While this is a mild example of how horrible ACLs can get out of control, there is a simple solution. The ip access-list resequence command allows you to clean up your access-list and customize the number of your statements to your liking. In the following example we start at 10, and increment with 10 on each iteration.
Router(config)#ip access-list resequence VPNc 10 10
Router(config)#end
Router#show ip access-lists VPNc
Extended IP access list VPNc
10 deny tcp any 10.23.4.224 0.0.0.7
20 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.8 eq www
30 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq www
40 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.10 eq www
50 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq www
60 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.8 eq 443
70 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq 443
80 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.10 eq 443
90 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq 443
100 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.2 eq domain
110 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.3 eq domain
120 deny ip any any
This could easily be renumbered starting at 100, and incrementing 10 on each line as such.
Router(config)#ip access-list resequence VPNc 100 10
Router(config)#end
Router#show access-list VPNc
Extended IP access list VPNc
100 deny tcp any 10.23.4.224 0.0.0.7
110 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.8 eq www
120 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq www
130 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.10 eq www
140 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq www
150 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.8 eq 443
160 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq 443
170 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.10 eq 443
180 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq 443
190 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.2 eq domain
200 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.3 eq domain
210 deny ip any any
Simple? Yes! Helpful? I hope so. I know it as saved me from pulling my hair out and having to copy / paste ACLs into Vi time and time again. As usual, feel free to leave a comment with any questions or concerns and I’ll get back to you ASAP.
Update – One thing I have noticed with this is that it can mess up the positioning of ACL remarks under some circumstances.
