Editing Extended ACLs

prigney81 · ‎07-21-2015

Hi, I need to edit extended named ACLs which have sequence number from 10 - 1500 in a sequence of 10, the original ACL has the following config

1110 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.13 eq 1433 1434
1120 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.13 eq 5413
1130 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.13 eq 3389
1140 permit tcp 10.251.150.0 0 0.0.0.255 host 11.25.160.24 range 135 139
1150 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.24 eq 445
1160 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.24 eq 1433 1434
1170 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.24 eq 5413
1180 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.24 eq 3389
1190 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.27 range 135 139
1200 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.27 eq 445
1210 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.27 eq 1433 1434
1220 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.27 eq 5413
1230 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.27 eq 3389
1240 permit ip host 10.251.150.71 any
1245 permit ip host 10.251.150.72 any
1250 permit ip host 10.251.150.180 11.25.160.128 0.0.0.63

I want to make the following additions so config will become as below

1181 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.12 range 27000 27009
1182 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.12 eq 80
1183 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.12 eq 2222
1184 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.12 eq 44818
1185 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.12 eq 7720

1190 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.27 range 135 139
1200 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.27 eq 445
1210 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.27 eq 1433 1434
1220 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.27 eq 5413
1230 permit tcp 10.251.150.0 0.0.0.255 host 11.25.160.27 eq 3389
1240 permit ip host 10.251.150.71 any
1245 permit ip host 10.251.150.72 any
1250 permit ip host 10.251.150.180 11.25.160.128 0.0.0.63

I just want to check that there is no issue with breaking the sequence number of 10 for this, and the location is ok?

Joseph W. Doherty · ‎07-21-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

No, there shouldn't be any issue of inserting between two statements. However, if you only sequence by 1, you'll not be able to insert anything between your newly inserted ACEs, unless you renumber the whole ACL (which might be a good idea). Whether the "location" is ok depends on your overall ACL and its purpose. I.e. whether you have any overlaps in matching (I'm guessing not, as your destination is a single host).

Of course, unless you have a platform that supports ACLs in hardware, or something like 7200's turbo ACL feature, there's a performance benefit to matching the most common matches first (again insuring such sequencing doesn't change your overall ACL match logic). For example, I would also guess your most common port match might be to port 80.

prigney81 · ‎07-22-2015

Thanks Joseph for your time in replying, appreciate the advice, I will take into account the performance issue for common ports.