IOS ACL Resequencing

Tony Mattke
Security
November 23, 2009
4 min read

This is one of those tricks you wish you learned about 10 years ago, but never did. You know how easy it is to mess up a nice looking access list. You get one setup on the router, and then you end up tinkering with it over the next month and the next thing you know you have the ACL that fell out of the ugly tree and hit every branch on the way down. I have the same issue, actually the other day I was working on some ACLs for a clients VPN configuration when I realized I had forgot to include some entries. So after adding what I needed, I ended up with something like this… ( IP address have been obviously changed to protect the innocent. Ok, honestly, the whole example is just hog wash. I’m way too lazy to actually go lookup the ACL I was working on. )

text

Extended IP access list VPNc
    10 deny tcp any 10.23.4.224 0.0.0.7
    20 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.8 eq www
    25 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq www
    30 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.10 eq www
    35 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq www
    40 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.8 eq 443
    45 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq 443
    50 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.10 eq 443
    55 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq 443
    60 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.2 eq domain
    70 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.3 eq domain
    80 deny ip any any

While this is a mild example of how horrible ACLs can get out of control, there is a simple solution. The ip access-list resequence command allows you to clean up your access-list and customize the number of your statements to your liking. In the following example we start at 10, and increment with 10 on each iteration.

text

Router(config)#ip access-list resequence VPNc 10 10
Router(config)#end
Router#show ip access-lists VPNc
Extended IP access list VPNc
    10 deny tcp any 10.23.4.224 0.0.0.7
    20 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.8 eq www
    30 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq www
    40 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.10 eq www
    50 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq www
    60 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.8 eq 443
    70 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq 443
    80 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.10 eq 443
    90 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq 443
    100 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.2 eq domain
    110 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.3 eq domain
    120 deny ip any any

This could easily be renumbered starting at 100, and incrementing 10 on each line as such.

text

Router(config)#ip access-list resequence VPNc 100 10
Router(config)#end
Router#show access-list VPNc
Extended IP access list VPNc
    100 deny tcp any 10.23.4.224 0.0.0.7
    110 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.8 eq www
    120 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq www
    130 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.10 eq www
    140 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq www
    150 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.8 eq 443
    160 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.9 eq 443
    170 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.10 eq 443
    180 permit tcp 192.168.0.0 0.0.0.252 host 10.23.2.11 eq 443
    190 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.2 eq domain
    200 permit tcp 192.168.0.0 0.0.0.252 host 10.23.0.3 eq domain
    210 deny ip any any

Simple? Yes! Helpful? I hope so. I know it as saved me from pulling my hair out and having to copy / paste ACLs into Vi time and time again. As usual, feel free to leave a comment with any questions or concerns and I’ll get back to you ASAP.

Update – One thing I have noticed with this is that it can mess up the positioning of ACL remarks under some circumstances.