no more extended named Acl updates

Unanswered Question
Sep 23rd, 2009

Hello all,

On this (12.4(24)T1 IOS Firewall, after some successfull Acl updates, now, new ones do not appear anymore

cisco2821#sh access-list Acl_DmzSec

Extended IP access list Acl_DmzSec

20 permit object-group OGs_Standard any any (7 matches)

30 permit icmp any any

40 permit 112 any host 224.0.0.18

50 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.26 (308 matches)

60 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.102 (94 matches)

70 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzRev (47 matches)

80 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzProxySig (13 matches)

90 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_Externe (138499 matches)

100 permit tcp host 172.19.201.1 object-group OGn_Externe eq www (1119 matches)

110 permit udp host 172.19.201.1 object-group OGn_DmzProxySig eq ntp

120 permit udp host 172.19.201.1 object-group OGn_Externe eq ntp (132 matches)

130 permit tcp host 172.19.201.1 object-group OGn_DmzProxySig eq 3128

140 permit tcp host 172.19.201.1 host 172.17.202.61 eq smtp

150 permit tcp host 172.19.201.1 object-group OGn_Externe eq smtp

cisco2821#conf t

Enter configuration commands, one per line. End with CNTL/Z.

cisco2821(config)#ip access-list extended Acl_DmzSec

cisco2821(config-ext-nacl)#10 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.102

cisco2821(config-ext-nacl)#end

cisco2821#sh access-list Acl_DmzSec

Extended IP access list Acl_DmzSec

20 permit object-group OGs_Standard any any (7 matches)

30 permit icmp any any

40 permit 112 any host 224.0.0.18

50 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.26 (308 matches)

60 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.102 (94 matches)

70 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzRev (47 matches)

80 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzProxySig (13 matches)

90 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_Externe (138956 matches)

100 permit tcp host 172.19.201.1 object-group OGn_Externe eq www (1119 matches)

110 permit udp host 172.19.201.1 object-group OGn_DmzProxySig eq ntp

120 permit udp host 172.19.201.1 object-group OGn_Externe eq ntp (132 matches)

130 permit tcp host 172.19.201.1 object-group OGn_DmzProxySig eq 3128

140 permit tcp host 172.19.201.1 host 172.17.202.61 eq smtp

150 permit tcp host 172.19.201.1 object-group OGn_Externe eq smtp

If I reload, it will do it again, but users will surely be angry

Regards,

Alain

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Peter Paluch Wed, 09/23/2009 - 03:41

Hello,

Your entire ACL consists only of permit-type entries. In this case, the recent IOSes might actually change the order of entries to better suit the internal evaluation of the entire ACL. Note that the entry you are trying to add is identical to the entry number 60. I am not surprised that while the command is accepted, it does not change the logic of the entire ACL and because it is only a duplicate of an existing entry, it is not actually added to your ACL.

Best regards,

Peter

falain Wed, 09/23/2009 - 04:03

Hello,

Thank you for your answer.

I did not verify that this ACE was existing elsewhere in this Acl.

But one question remains:

Can you change the order of ACE when you see they are more frequently used ?

In this case, do I have to do

ip access-list extended Acl....

no 60

10 permit ....

Couldn't it be easier by just changing ACE sequence number ?

Regards

Alain

Peter Paluch Wed, 09/23/2009 - 04:37

Hi Alain,

Personally, I don't know if there is any quick way to renumber an existing ACL entry. Perhaps someone else here will be able to answer but I do it the same way as you do: remove the old entry and reenter it with a new sequence number.

Best regards,

Peter

falain Fri, 09/25/2009 - 13:15

HI Peter,

Why IOS couldn't automatically optimize Acl processing by autoresequencing them rather than doing it manually ?

It could be a background task running at periodic moments when packet counters become significant.

It is just an idea to submit

Alain

Actions

This Discussion