Thursday, November 13, 2008

in-line editing of Cisco ACLs

Many people don't realize that reasonably recent versions of IOS have in-line ACL editing.

The way this works is that ACLs have invisible line numbers that only show up when using a show access-list command, not when doing "show run":

R1#sh access-list TEST
Extended IP access list TEST
10 permit tcp host 1.1.1.1 host 2.2.2.2
20 permit gre host 3.3.3.3 host 4.4.4.4

In the example above, the line numbers are shown. If we just look at the config, they're not:

R1#sh run | s access-list
ip access-list extended TEST
permit tcp host 1.1.1.1 host 2.2.2.2
permit gre host 3.3.3.3 host 4.4.4.4


Now, let's say I want to make line number 10 more restrictive:


R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list ext TEST
R1(config-ext-nacl)#15 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
R1(config-ext-nacl)#do sh access-list TEST
Extended IP access list TEST
10 permit tcp host 1.1.1.1 host 2.2.2.2
15 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
20 permit gre host 3.3.3.3 host 4.4.4.4
R1(config-ext-nacl)#no 10
R1(config-ext-nacl)#do sh access-list TEST
Extended IP access list TEST
15 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
20 permit gre host 3.3.3.3 host 4.4.4.4


If the odd sequence numbers really bother you, you can fix them:

R1(config)#ip access-list resequence TEST ?
<1-2147483647> Starting Sequence Number

R1(config)#ip access-list resequence TEST 10 ?
<1-2147483647> Step to increment the sequence number

R1(config)#ip access-list resequence TEST 10 10 ?


R1(config)#ip access-list resequence TEST 10 10
R1(config)#do sh access-list TEST
Extended IP access list TEST
10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
20 permit gre host 3.3.3.3 host 4.4.4.4

I'm not sure what IOS version this appeared in, but it's been around since at least the early 12.3T images.

No comments: