There are a number of different type of Cisco ACLs available on their various IOS powered devices. Of these the numbered, and named types are the most prevalent. For my money I always use named where possible as I find them a lot neater and easier to edit live. With a numbered ACL, if you need to change the order of the ACL (remember they are processed sequentially so the order is very important) you need to do something like
- copy the whole ACL into vi (or your favourite editor)
- edit it to suit your new requirements
- delete the old one from the config using something like no ip access-list 158
- paste the edited one in to the config.
The problem with this is that this quite often isn’t possible if your ACL controls your ability to access the router/switch. The same situation can exist if you don’t know how to edit named ACLs while they are live. This method should really only be done on routers you are connected to by the console and aren’t live.
An easier solution is simply to edit named ACLs live. Now this isn’t necessarily for the faint of heart, and can easily end in a router/switch boot if you aren’t careful, but it is the “best” method in my opinion.
So how to do it…
First, you need to understand that named ACLs actually have line numbers. I will also stress again that the ACL is assessed sequentially, so the order is imperative. Also remember, the ACL stops processing as soon as it gets a positive match.
Now if you show the ACL you will get something like this…
Router1(config)# do sh access-l aclInternetInbound Extended IP access list aclInternetInbound 10 permit tcp any any established (3579 matches) 20 permit udp any any eq domain (13 matches) 30 deny ip 12.0.0.0 1.255.255.255 any 40 deny ip 24.200.0.0 0.3.255.255 any 50 deny ip 24.248.0.0 0.7.255.255 any 60 deny ip 38.0.0.0 0.255.255.255 any 70 deny ip 41.177.0.0 0.0.255.255 any 80 deny ip 41.208.192.0 0.0.63.255 any 90 deny ip 58.192.0.0 0.31.255.255 any (22 matches) 100 deny ip 59.32.0.0 0.31.255.255 any 110 deny ip 59.151.0.0 0.0.127.255 any 120 deny ip 60.0.0.0 0.31.255.255 any 130 deny ip 61.12.0.0 0.0.127.255 any 140 deny ip 61.32.0.0 0.7.255.255 any ... 2050 permit tcp any any eq smtp (4006 matches)
As you can see this is part of a mail server router ACL (that blocks a lot of our international friends from bothering us) and we can see the line numbers shown. So to edit it while live we simple enter the ACL configuration and edit the line numbers directly. The other lines remain unaffected and in their original order. We can just as easily remove offending Line Numbers if necessary…
Edit: Please note the “Safety Switch” of reload in 10 (minutes). This reloads the router config to the current startup config if we stuff up our editing and lose connection.
Router1(config)# do reload in 10 Router1(config)# ip access ext aclInternetInbound Router1(config-ext-nacl)# no 50 <--- Deletes line number 50 Router1(config-ext-nacl)# 65 deny ip 41.0.0.0 0.0.255.255 any <--- Adds a line number 65 between 60 and 70 Router1(config-ext-nacl)# exit Router1(config)# do sh access-l aclInternetInbound Extended IP access list aclInternetInbound 10 permit tcp any any established (3579 matches) 20 permit udp any any eq domain (13 matches) 30 deny ip 12.0.0.0 1.255.255.255 any 40 deny ip 24.200.0.0 0.3.255.255 any 60 deny ip 38.0.0.0 0.255.255.255 any 65 deny ip 41.0.0.0 0.0.255.255 any 70 deny ip 41.177.0.0 0.0.255.255 any 80 deny ip 41.208.192.0 0.0.63.255 any 90 deny ip 58.192.0.0 0.31.255.255 any (22 matches) 100 deny ip 59.32.0.0 0.31.255.255 any 110 deny ip 59.151.0.0 0.0.127.255 any 120 deny ip 60.0.0.0 0.31.255.255 any 130 deny ip 61.12.0.0 0.0.127.255 any 140 deny ip 61.32.0.0 0.7.255.255 any ... 2050 permit tcp any any eq smtp (4020 matches) Router1(config)# do reload cancel
Using this method it is easy to end up with the line numbers all over the place so Cisco have kindly provided a re-sequencing method to tidy the world up again.
Router1(config)# ip access-l res aclInternetInbound 10 10
this simple re-sequences the line numbers starting at number 10 and incrementing each line by 10. We then end up with …
Router1(config)# do sh access-l aclInternetInbound Extended IP access list aclInternetInbound 10 permit tcp any any established (3579 matches) 20 permit udp any any eq domain (13 matches) 30 deny ip 12.0.0.0 1.255.255.255 any 40 deny ip 24.200.0.0 0.3.255.255 any 50 deny ip 38.0.0.0 0.255.255.255 any 60 deny ip 41.0.0.0 0.0.255.255 any 70 deny ip 41.177.0.0 0.0.255.255 any 80 deny ip 41.208.192.0 0.0.63.255 any 90 deny ip 58.192.0.0 0.31.255.255 any (22 matches) 100 deny ip 59.32.0.0 0.31.255.255 any 110 deny ip 59.151.0.0 0.0.127.255 any 120 deny ip 60.0.0.0 0.31.255.255 any 130 deny ip 61.12.0.0 0.0.127.255 any 140 deny ip 61.32.0.0 0.7.255.255 any ... 2050 permit tcp any any eq smtp (4072 matches)
A couple of things to remember…
- All ACLs, number or named, have an implicit deny ip any any at the end of them. So permit or deny the stuff you definitely want and let the implicit deny handle the rest. Don’t clog your ACL’s with useless crud that will get picked up by the implicit deny anyway. It just chew processor resources unnecessarily.
- The ACL is assessed sequentially so be very careful with the order of statements. No point putting a permit everything followed by a deny something explicit.
- As soon as the ACL gets a positive match, it stops processing. So a deny ip any any at the start of an ACL will ensure nothing ever gets through
- Use reload in 10 and reload cancel in case you stuff up. They are life savers if the router or switch is remote. (Thanks again to Daniel996)
So there you go. Edit them live and save a lot of stress. But do be careful won’t you.