Standard Access Control List (ACL) Modification

Network administrators modify a standard Access Control List (ACL) by adding lines. Each new entry you add to the Access Control List (ACL) appears at the bottom of the list.

Unlike the routing table, which looks for the closest match in the list when processing an ACL entry that will be used as the first matching entry. If, for instance, you want to have one host on the 192.168.8.0/24 blocked on your ACL, then there would be a difference. You need to add deny for 192.168.8.200 to your ACL:

Switch1>enable
Password:
Switch1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)#access-list 50 deny 192.168.8.200 0.0.0.0
Switch1(config)#end
Switch1#show access-list 50
Standard IP access list 50
    deny   192.168.8.200
    permit 192.168.8.0, wildcard bits 0.0.0.255
    permit 192.168.9.0, wildcard bits 0.0.0.255

Notice deny was added to the top of the list, whereas the additional permit was added to the bottom of the list. Additionally, this entry does not include the wildcard bits. The ordering behavior is by design, with any entry for a single host being more important and therefore filtered to the top of the list.

The reduction of the ACE for the single host is also expected. You could add the single host this way, instead of writing out all the zeros in the wildcard mask.

Switch1(config)#access-list 50 deny host 192.168.8.200

You can make a new ACL that will deny the same two Class C address blocks, but permit the first four addresses in the 192.168.8.0/24 range (192.168.8.0-192.168.8.3). Here is the result if you build the ACL in this order.

Switch1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)#access-list 60 deny 192.168.8.0 0.0.0.255
Switch1(config)#access-list 60 deny 192.168.9.0 0.0.0.255
Switch1(config)#access-list 60 permit 192.168.8.0 0.0.0.3
Switch1(config)#end
Switch1#show access-list 60
Standard IP access list 60
    deny   192.168.8.0, wildcard bits 0.0.0.255
    deny   192.168.9.0, wildcard bits 0.0.0.255
    permit 192.168.8.0, wildcard bits 0.0.0.3

Because the entries are added to the ACL in the order that you type them, the permit ends up at the bottom of the list. If you test this ACL, an address like 192.168.8.2 would be picked up by the first ACE and would not receive the permit from the third ACE. How do you fix this? Well, you have a few choices:

  • You can remove the ACL from where it is being used, delete the ACL, create a new one in the correct order, and add it back to where it is being used. This lengthy process actually leaves the system open from the time you remove the ACL from where it is being used, until it is added back. This has been the standard method of managing ACLs.

    When working with ACLs this way, you would copy all the steps required into notepad.exe. This includes the steps to remove the old ACL and add the new ACL. After the entire process is staged in notepad.exe, use the copy command to copy and paste into your CLI management application, such as putty.exe.

  • If your device supports it, you can edit the ACL by using the IP command in the following code. This allows you to put line numbers into your ACL, an option that you do not have when editing the ACL from Global Configuration mode. This makes use of ACL Configuration mode. When putting your line numbers in, you want to leave a gap between the entries in the ACL.

Router1(config)#ip access-list standard 60
Router1(config-ext-nacl)#10 deny 192.168.8.0 0.0.0.255
Router1(config-ext-nacl)#20 deny 192.168.9.0 0.0.0.255
Router1(config-ext-nacl)#30 permit 192.168.8.0 0.0.0.3

With this pre-planning done, you can then add a new ACL entry at the top of the ACL by choosing a number that is less than 10, similar to the following:

Router1>enable
Password:
Router1#configure terminal
Router1(config)# ip access-list standard 60
Router1(config-ext-nacl)#5 permit 192.168.8.0 0.0.0.3
Router1(config-ext-nacl)#end
Router1#show access-list 60
Standard IP access list 60
    5 permit 192.168.9.0, wildcard bits 0.0.0.3
    10 deny   192.168.9.0, wildcard bits 0.0.0.255
    20 deny   192.168.9.0, wildcard bits 0.0.0.255
    30 permit 192.168.8.0, wildcard bits 0.0.0.3
This allows you to edit the ACL on the fly (that is, without removing it from the interfaces where it is used) without removing the ACL and recreating it, saving you a lot of time and effort, as long as there is a gap in the numbering where you can add your new entry.

Depending on the IOS version and device, you may have other options. If you look at the Adaptive Security Appliance (ASA), you do not have to preplan. So review the following code, where the ASA automatically numbers the lines for you:

ASAFirewall1>enable
Password:
ASAFirewall1#configure terminal
ASAFirewall1(config)# access-list 60 deny 192.168.8.0 255.255.255.0
ASAFirewall1(config)# access-list 60 deny 192.168.9.0 255.255.255.0
ASAFirewall1(config)# exit
ASAFirewall1# show access-list 60
access-list 60; 2 elements
access-list 60 line 1 standard deny 192.168.8.0 255.255.255.0 (hitcnt=0) 0x318d5521
access-list 60 line 2 standard deny 192.168.9.0 255.255.255.0 (hitcnt=0) 0xba5e90e1
ASAFirewall1#configure terminal
ASAFirewall1(config)# access-list 60 line 1 permit 192.168.9.0 255.255.255.248
ASAFirewall1(config)# exit
ASAFirewall1# show access-list 60
access-list 60; 3 elements
access-list 60 line 1 standard permit 192.168.9.0 255.255.255.248 (hitcnt=0) 0x451bbe48
access-list 60 line 2 standard deny 192.168.8.0 255.255.255.0 (hitcnt=0) 0x318d5521
access-list 60 line 3 standard deny 192.168.9.0 255.255.255.0 (hitcnt=0) 0xba5e90e1

By using the ASA, you can still add lines on the fly or manually number ACL entries. If you want to use the same line again, the ASA will renumber your entire list if it needs to. This is truly the best of both worlds.

blog comments powered by Disqus
Advertisement

Inside Dummies.com

Dummies.com Sweepstakes

Win $500. Easy.