cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
43110
Views
27
Helpful
16
Replies

ACL and sequence numbers

I had the first two lines in the access list and all was well, I then added the 3rd. From what I need to put the 3rd entry (deny host 10.1.30.51) after the second entry and before the permit any. Even though I created sequence numbers in order of the 3 entries (10,20,30) the sequence numbers didnt put them in order and they dont even show up in the show run. What went wrong? How is it possible to edit an acl without sequence numbers also?

Cause if I had:

10 deny x.x.x.x

20 deny x.x.x.x

30 permit any

Then I could add say 15 deny x.x.x.x, but now I cant and I dont even know what happened to the sequence numbers when I created them.

Thanks.

Standard IP access list 1

    deny host 10.1.30.50 (4 match(es))

    permit any (8 match(es))

    deny host 10.1.30.51

Router#

16 Replies 16

Then sequence-numbers are only visible in a "show access-list" and not in a show run. If you want to add a line at a specific position, just take an unused sequence-number and add the new line. It will be added at the right place:

c1841#sh access-lists   

Extended IP access list TEST

    10 permit icmp any any (5 matches)

    20 permit udp any any

    30 permit esp any any

c1841(config)#ip access-list ext TEST

c1841(config-ext-nacl)#15 permit tcp any any

c1841(config-ext-nacl)#

c1841(config-ext-nacl)#do sh ip access-list TEST

Extended IP access list TEST

    10 permit icmp any any (5 matches)

    15 permit tcp any any

    20 permit udp any any

    30 permit esp any any

c1841(config-ext-nacl)#

You can also renumber your ACLs if you want to.

c1841(config)#ip access-list resequence TEST 50 20

c1841(config)#

c1841(config)#do sh ip access-list TEST          

Extended IP access list TEST

    50 permit icmp any any

    70 permit tcp any any

    90 permit udp any any

    110 permit esp any any

c1841(config)#

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

As you can see below, I create a new statement in the acl, add a sequence #45, then do a show ip access-lists and it shows none of the sequence numbers.

Router(config)#access-list 1

% Incomplete command.

Router(config)#ip acc

Router(config)#ip access-list s

Router(config)#ip access-list standard 1

Router(config-std-nacl)#45 deny host 10.1.20.50

Router(config-std-nacl)#

Router#show ip access-lists 1
Standard IP access list 1
    deny host 10.1.30.50 (4 match(es))
    permit any (8 match(es))
    deny host 10.1.40.50
    deny host 10.1.30.51
    deny host 10.1.20.50

Packet tracer doesnt use the sequence numbers.

Sequence numbers are only relevant in extended access lists. In standard access lists they are ignored.

Collin,

I do not believe this is right. Why do you believe that sequence numbers in standard ACLs are irrelevant?

Best regards,

Peter

Hi Peter,

it seems that sequence numbers in standard ACLs are irrelevant when the standard ACL is named with a number (1-99) but are relevant when it's named with a word?

(At least it looks so in my lab.)

See http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html#wp1040665

Best regards,

Milan

Hi Milan,

I just verified with a 12.4 image and sequence numbers appeared in sow access-list whether the acl was created as a numbered or named acl.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Milan,

Sequence numbers are indeed not supported if you define a numbered access list. With both standard and extended numbered ACLs, however, it is possible to do a trick: if you refer to them as named ACLs (use their number as their name), you actually are able to use the sequence numbers.

For example:

R1(config)# do show run | i access-list

access-list 1 deny   192.0.2.1

access-list 1 permit any

access-list 100 deny   ip host 192.0.2.1 any

access-list 100 permit ip any any

R1(config)# do show ip access-l

Standard IP access list 1

    10 deny   192.0.2.1

    20 permit any

Extended IP access list 100

    10 deny ip host 192.0.2.1 any

    20 permit ip any any

R1(config)# ip access-list standard 1

R1(config-std-nacl)# 15 deny 192.0.2.15

R1(config-std-nacl)# exit

R1(config)# do show access-list

Standard IP access list 1

    10 deny   192.0.2.1

    15 deny   192.0.2.15

    20 permit any

Extended IP access list 100

    10 deny ip host 192.0.2.1 any

    20 permit ip any any

R1(config)# ip access-list extended 100

R1(config-ext-nacl)# 15 deny ip host 192.0.2.15 any

R1(config-ext-nacl)# exit

R1(config)# do show access-l

Standard IP access list 1

    10 deny   192.0.2.1

    15 deny   192.0.2.15

    20 permit any

Extended IP access list 100

    10 deny ip host 192.0.2.1 any

    15 deny ip host 192.0.2.15 any

    20 permit ip any any

The router is even smart enough to disallow to refer to a named ACL whose name is a number of the opposite type than stated on the command line:

R1(config)# ip access-list standard 101

%

% Invalid access list name.

R1(config)# ip access-list extended 2

%

% Invalid access list name.

What Collin may have in mind, though, is that host entries in standard ACLs are reorganized to a different order than entered:

R1(config)# ip access-list standard Test

R1(config-std-nacl)# permit 10.0.0.1

R1(config-std-nacl)# deny 10.0.0.2

R1(config-std-nacl)# permit 10.0.0.3

R1(config-std-nacl)# deny 10.0.0.4

R1(config-std-nacl)# permit 10.0.0.5

R1(config-std-nacl)# deny 10.0.0.6

R1(config-std-nacl)# permit 10.0.0.7

R1(config-std-nacl)# deny 10.0.0.8

R1(config-std-nacl)# permit any

R1(config-std-nacl)#exit

R1(config)# do show access-list Test

Standard IP access list Test

    80 deny   10.0.0.8

    20 deny   10.0.0.2

    30 permit 10.0.0.3

    10 permit 10.0.0.1

    60 deny   10.0.0.6

    70 permit 10.0.0.7

    40 deny   10.0.0.4

    50 permit 10.0.0.5

    90 permit any

R1(config)# do show run | section Test

ip access-list standard Test

deny   10.0.0.8

deny   10.0.0.2

permit 10.0.0.3

permit 10.0.0.1

deny   10.0.0.6

permit 10.0.0.7

deny   10.0.0.4

permit 10.0.0.5

permit any

This reordering happens only with standard ACLs and is a result of indexing the host entries in the ACL into a hash table (the hash function being XOR of individual octets of the IP address in the host entry) for faster access. When printing out the ACL, first the host items are printed out in the order they are stored in the hashing table, and only then the remaining entries that use wildcards. Wildcard entries are not reordered.

The funny thing is that the ACL is actually even stored in the configuration in the reordered form, and thus evaluated in a reordered form, which can be confusing. However, you may have noticed that the router will prohibit you from entering a host ACL after entering a wildcard ACL that also matches the IP address in a wildcard entry:

R1(config)# ip access-list standard Test2

R1(config-std-nacl)# permit 10.0.1.0 0.0.0.255

R1(config-std-nacl)# deny 10.0.1.1

% Access rule can't be configured at higher sequence num as it is part of the existing rule at sequence num 10

R1(config-std-nacl)#

Why is this? Obviously, a host entry can  either select the same action for a packet that would be taken by a more  general wildcard entry (in which case it is not necessary for the  host entry to be entered at all), or  it can override the action that would be chosen by a more general  wildcard entry. In this second case, it is necessary for this host entry  to be placed in the ACL first, otherwise it would never be reached. Ordering of host entries themselves can be arbitrary, as they do not influence each other.  This leads us to a general logic in standard ACLs - it is required to put  all host entries first, and wildcard entries last. Now it is completely logical to visit all host entries first (indexed by a hash for rapid access), and then visit the wildcard entries.

Quite a long post... sorry for that. Hopefully, we've resolved some of the doubts.

Best regards,

Peter

   I have never found that you could not change sequence numbers whether it was standard or extended , numbered or named . As Peter said you just make all access lists so called named ACL's  and just substitute the number for the name and you can modify anything.  I believe this works even if you made the access list the old way , " access-list 5 .  To modify with sequence numbers you can display it using a show access list and at least on newer code like 12.4  or newer switchcodes it will show sequence numbers . You then just use the name access list to change it.

ip access-list standard 5, enter  then add or delete your entry. 

   I think you had some restrictions way back in like 12.2T code when they brought these features online.

Hi Peter,

you are correct - as usually.

I just missed the effect was due to the host entries in my lab ACL.

Only one comment:

I don't agree with Cisco logic all host entries shoud go to the beginning of any standard ACL.

Let's consider an ACL permitting access from private IP addresses and one public address:

c2811-R1#sh access-l 50

Standard IP access list 50

    30 permit 77.65.77.1

    10 permit 10.0.0.0, wildcard bits 0.0.0.255

    20 permit 192.168.0.0, wildcard bits 0.0.255.255

Let's say the public address is used once a year.

Does it really make a sense to check each packet against the public host entry first?

Best regards,

Milan

Here I create a standard access list with a name called "ACL1":

Router(config)#ip access-list standard ?

  <1-99>  Standard IP access-list number

  WORD    Access-list name

Router(config)#ip access-list ?

  extended  Extended Access List

  standard  Standard Access List

Router(config)#ip access-list standard ACL1

Here is the ACL1 with two entries:

I created the sequence numbers as well.

Router(config-std-nacl)#do show ip access-list

Standard IP access list ACL1

    10 deny host 10.1.30.50

    20 permit any

Trying to apply the name "ACL1" to an interface returns a incomplete command

This I cant understand since that is the name I gave it, no?

What am I supposed to type here?

Router(config-if)#ip access-group ?

  <1-199>  IP access list (standard or extended)

  WORD     Access-list name

Router(config-if)#ip access-group ACL1

% Incomplete command.

Show ip access list comes with the sequence numbers.

Only if created with a word though, created with numbers it wont show the sequence

Router#show ip access-list

Standard IP access list ACL1

    10 deny host 10.1.30.50

    20 permit any

I think this is confusing for those studying for exams when I heard you cannot use the ? or tab when typing a command during the exam. How can you do this on the exam if it doesnt even work correctly in real life?

  It gave you an incomplete command because you didn't specify in or out on the interface . If you create a numbered ACL  if you do a show ip access-list 5    for instance the sequence numbers don't show ?

Thanks Glen that worked and it does show with the sequence numbers with a show ip-access-list, although I think sometimes Packet Tracer is acting up.

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Packet tracer is often not "faithful" to "real" IOSs.

Even "real" IOSs can have different behaviors between versions (and platforms).

I.e. the only way I've found, with 100% certainly, how a particular IOS version/platform will behave is by using that actual IOS platform/version .