dslreports logo
site
spacer

spacer
 
    «« DSL Hurdles Share Tool
spc

spacer




how-to block ads



Introduction

This FAQ discuss some options in regards to modify existing ACL on routers in general, and specifically inserting lines into existing ACL. Though the term router is used, this concept applies to any Cisco IOS-based platform including switches and AP (Access Point). Into some extent, the concept also applies to Cisco firewall (PIX and ASA) and Nexus switches running NX-OS.

Most CCNA books say modifying existing ACL or inserting lines into existing ACL can't be done....well that shows you shouldn't believe everything you read :)

Option 1: IOS image supports ACL line number

If the IOS image running on the router supports ACL line number, then following is the procedure you can follow.

First do a show access-list at the exec prompt

Note the line numbering in the required access-list e.g.:
extended IP access-list 115
   10 access-list 115 deny ip host 222.222.222.222 any
   20 access-list 115 permit ip any any
 

Then enter config mode and insert the line you want to add, prefixing it with the appropriate number to position it where you want in the list (substitute standard for extended in the example below if you are working with a standard ACL):

conf ter
ip access-list extended 115 
15 deny ip host 111.111.111.111 any
end
 

If you repeat the show access-list you should find the deny just where you want it ;)

extended IP access-list 115
   10 access-list 115 deny ip host 222.222.222.222 any
   15 access-list 115 deny ip host 111.111.111.111 any
   20 access-list 115 permit ip any any
 

Below is a full example with a named extended ACL

router#show access-list
Extended IP access list to-internet
   10 deny udp any any eq netbios-dgm (17226 matches)
   20 deny udp any any eq netbios-ns (6648 matches)
   30 deny udp any any eq netbios-ss
   40 deny tcp any any eq 137
   50 deny tcp any any eq 138
   60 deny tcp any any eq 139
   70 deny udp any any eq 445
   80 deny tcp any any eq 445
   90 deny udp any any eq 593
   100 deny tcp any any eq 593
   110 permit ip any any (152039 matches)
router#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#ip access-list ext to-internet
router(config-ext-nacl)#25 permit ip any host 1.1.1.1
router(config-ext-nacl)#exit
router(config)#exit
router#
router#show access-list
Extended IP access list to-internet
   10 deny udp any any eq netbios-dgm (17226 matches)
   20 deny udp any any eq netbios-ns (6648 matches)
   25 permit ip any host 1.1.1.1
   30 deny udp any any eq netbios-ss
   40 deny tcp any any eq 137
   50 deny tcp any any eq 138
   60 deny tcp any any eq 139
   70 deny udp any any eq 445
   80 deny tcp any any eq 445
   90 deny udp any any eq 593
   100 deny tcp any any eq 593
   110 permit ip any any (152039 matches)
 

The suggested next step is to renumber the access-list starting from 10 by step of 10 using the following command

router#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#ip access-list resequence to-internet 10 10
router(config)#exit
router#
router#show access-list
Extended IP access list to-internet
   10 deny udp any any eq netbios-dgm (17226 matches)
   20 deny udp any any eq netbios-ns (6648 matches)
   30 permit ip any host 1.1.1.1
   40 deny udp any any eq netbios-ss
   50 deny tcp any any eq 137
   60 deny tcp any any eq 138
   70 deny tcp any any eq 139
   80 deny udp any any eq 445
   90 deny tcp any any eq 445
   100 deny udp any any eq 593
   110 deny tcp any any eq 593
   120 permit ip any any (152039 matches)
 

This method has been tested with both IOS 12.3 and 12.4 and works with standard, extended, numbered and named ACLs.

Note that on older IOS image version, you may have to issue service linenumber command to activate the ACL line numbering. In newer IOS image version, this command is already activated by default; therefore there is no need to reissue the command.

Option 2: IOS image does not support ACL line number

When the router IOS image does not support ACL line number, then following is the procedure you can follow.

1. Copy the ACL into a text editor (i.e. Notepad on Windows or vi on UNIX).
2. On the text editor, insert the ACL line.
3. Verify that your work is correct and will not bring down production time.
4. On router, unapply the ACL temporarily off the router.
5. Remove the ACL off the router.
6. Copy the updated ACL from the text editor into the router.
7. Verify that the router already have the updated ACL.
8. When the router does have the updated ACL, reapply the ACL as existing condition.

Illustration

You have the following on your router

interface Ethernet0
ip address 1.1.1.1 255.255.255.0
ip access-group 100 in
!
access-list 100 permit udp any eq 53 any
access-list 100 permit tcp any any established
access-list 100 deny ip any any
 

You need to have the ACL 100 to look like the following

access-list 100 permit tcp any any eq 80
access-list 100 permit udp any eq 53 any
access-list 100 permit tcp any any established
access-list 100 deny ip any any
 

Following the above steps, here are what you should do

1. Copy the existing ACL 100 and paste to your text editor

Tips:
Let's say your Notepad as the text editor. On the router, highlight the access list. Copy the highlighted and paste to Notepad.

2. On the text editor, insert the ACL line (the "access-list 100 permit tcp any any eq 80")
access-list 100 permit tcp any any eq 80
access-list 100 permit udp any eq 53 any
access-list 100 permit tcp any any established
access-list 100 deny ip any any

3. Verify that the updated ACL 100 on the text editor is correct and will not bring down production time. This means that access-list line order is proper which should not block legitimate traffic and only block illegitimate one.

4. On router, unapply the ACL temporarily off the router.

configure terminal
interface Ethernet0
no ip access-group 100 in
 

5. Remove the ACL off the router

no access-list 100
 

6. Copy the updated ACL from the text editor and paste into the router.

Tips:
Let's say you use Notepad as the text editor. On the Notepad, you should have the following

conf t
access-list 100 permit tcp any any eq 80
access-list 100 permit udp any eq 53 any
access-list 100 permit tcp any any established
access-list 100 deny ip any any
end
 

Have the router to be at global configuration mode, like following

Router#

Highlight all of the above command lines on the Notepad (from "conf t" to "end"), select copy of the highlighted and paste to the router.

7. Verify that the router already have the updated ACL.

show access-list 100
 

8. When the router does have the updated ACL, reapply the ACL as existing condition back to the interface

configure terminal
interface Ethernet0
ip access-group 100 in
end
 

Note:

The illustration assumes that the ACL 100 is only applied to a single interface. When the same ACL is applied to multiple interfaces, you need to unapply and reapply the ACL on all interfaces. In some cases, the router may need to dedicate ACL 100 to one interface while other interfaces use different ACL (i.e. ACL 101, 102).

In addition, keep in mind that you can lock yourself out of a router by making a mistake when working with ACLs. Worse, your ACL work could bring production time down. If you are working remotely and it is possible to reload the router afterward, it is particularly important that you consider issuing a reload in x command where x is the number of minutes that will pass before the router will reload itself. Then if you lock yourself out you know the router will be reset within x minutes. When you are happy the changes are correct you can write the new config and cancel the reload with reload cancel. Note that a router reload brings down network, so you may want to have some kind of authorized work window as previously stated.

When it it not possible to reload and you are working remotely, then you should have out-of-band access as alternate access. This out-of-band access is a dedicated line that goes directly to the router console port. A lot of out-of-band access is setup using analog dialup modem via POTS line; although many organizations also use Frame Relay, DSL, or cable modem for faster access.

Disclaimer:

Of any configuration changes, there should be considerations of impact to production time. In general, ACL change may bring down production time. ACL modification process could also bring in unwanted incoming traffic from the Internet, which then might bring down some system. With that in mind, a consideration that an ACL modification process is to take place after hours or during off-hours is in order. Depending on the environment you are working on, you may need some approval from authorized people or your manager to make any changes and to get authorized work window.

Configuration change approach presented in this FAQ is not meant to be real-live implementation, especially in production network; rather it is intended as illustrations of possible ways of modifying ACL. Certain companies have their own standard and methodologies in regards of modifying existing ACL or of any configuration changes, which you should be aware of. If you are unaware of such, consult your manager prior any work.


Feedback received on this FAQ entry:
  • As above, just what doctor ordered, cheers.

    2014-01-15 07:27:35

  • Thanks, it help me alot

    2013-10-31 05:13:40

  • thanks so much your help is very help full. so agane thanks.........

    2013-08-29 08:06:15

  • Excellent - information was very helpful. Great for revising the topic if, like me, you are only required to use it from time to time. Will pass this page on the colleagues.

    2013-08-10 17:05:07

  • thank you

    2013-03-26 06:01:10

  • helps alot, thanks so much

    2013-01-28 06:36:45

  • Hats off to whoever wrote this. The explanation is really great for amateurs like me! Easy to understand ! Thanks dude!

    2012-08-24 03:45:05

  • Fantastic, thanks a ton! This has saved me from several trips to remote sites.

    2011-08-03 18:04:04

  • Thank you for the information! It was very helpful!

    2011-07-09 23:00:29

  • Perfect, very very helpful

    2011-03-04 16:17:14

  • spot on, very helpfull

    2009-06-22 06:27:57



Expand got feedback?

by Phraxos See Profile edited by aryoba See Profile
last modified: 2014-04-09 11:59:18