Solved: ACL's and ACEs

Bruce Summers · ‎01-23-2010

Is it possible to remove an ACE that is encompassed by an ACL?

exp: access-list vlan1000 line 1 extended permit ip object-group X object-group Y

object-group network X

network-object 10.10.10.0 255.255.255.0

object-group network Y

network-object 192.168.1.0 255.255.255.0

in the scenario above, I have 30 IP's in use in the 10.10.10.0, spread across the class C (ie. 10.10.10.10, 10.10.10.30, 10.10.10.70, 10.10.10.135 etc...)

I want to keep the /24 intact, but i would like to remove those IP's in that class C that arent being used...

I know, it sounds silly, but what i've ran into, is over the course of time, some of my object-groups/acl combinations have grown so large, that i'm against the max allowable ACE's in my context (running multi context mode on FWSM 3.2.2)

I dont see a way around this problem, with the exception of reducing the number of partitions (did that already, currently at 6 acl partitions and each have virtual contexts created in them) OR removing some of the 0 hitcnt ACE's...

any ideas would be greatly appreciated...

Bruce

Jon Marshall · ‎01-23-2010

bruce.summers wrote:
Is it possible to remove an ACE that is encompassed by an ACL?
exp:  access-list vlan1000 line 1 extended permit ip object-group X object-group Y
object-group network X
  network-object 10.10.10.0 255.255.255.0
object-group network Y
 network-object 192.168.1.0 255.255.255.0
in the scenario above, I have 30 IP's in use in the 10.10.10.0, spread across the class C (ie. 10.10.10.10, 10.10.10.30, 10.10.10.70, 10.10.10.135 etc...)
I want to keep the /24 intact, but i would like to remove those IP's in that class C that arent being used...
I know, it sounds silly, but what i've ran into, is over the course of time, some of my object-groups/acl combinations have grown so large, that i'm against the max allowable ACE's in my context (running multi context mode on FWSM 3.2.2)
I dont see a way around this problem, with the exception of reducing the number of partitions (did that already, currently at 6 acl partitions and each have virtual contexts created in them) OR removing some of the 0 hitcnt ACE's...
any ideas would be greatly appreciated...
Bruce

Bruce

Not sure what you mean. Your example -

access-list vlan1000 line 1 extended permit ip object-group X object-group Y

only amounts to one ace because you have defined network objects rather than individual host entries.

I think i may have misunderstood the question.

Jon

View solution in original post

Jon Marshall · ‎01-23-2010

bruce.summers wrote:
Is it possible to remove an ACE that is encompassed by an ACL?
exp:  access-list vlan1000 line 1 extended permit ip object-group X object-group Y
object-group network X
  network-object 10.10.10.0 255.255.255.0
object-group network Y
 network-object 192.168.1.0 255.255.255.0
in the scenario above, I have 30 IP's in use in the 10.10.10.0, spread across the class C (ie. 10.10.10.10, 10.10.10.30, 10.10.10.70, 10.10.10.135 etc...)
I want to keep the /24 intact, but i would like to remove those IP's in that class C that arent being used...
I know, it sounds silly, but what i've ran into, is over the course of time, some of my object-groups/acl combinations have grown so large, that i'm against the max allowable ACE's in my context (running multi context mode on FWSM 3.2.2)
I dont see a way around this problem, with the exception of reducing the number of partitions (did that already, currently at 6 acl partitions and each have virtual contexts created in them) OR removing some of the 0 hitcnt ACE's...
any ideas would be greatly appreciated...
Bruce

Bruce

Not sure what you mean. Your example -

access-list vlan1000 line 1 extended permit ip object-group X object-group Y

only amounts to one ace because you have defined network objects rather than individual host entries.

I think i may have misunderstood the question.

Jon

Bruce Summers · ‎01-23-2010

you understood correctly...

maybe I misunderstand ACE's vs ACL's...

but, now that i read your post, i think it became clear...i thought that an ACE was a "subunit" of an ACL..i guess not :-)

so, because of the use of the object groups, What i want to do is not possible i dont think...

bruce

Jon Marshall · ‎01-23-2010

bruce.summers wrote:

you understood correctly...

maybe I misunderstand ACE's vs ACL's...

but, now that i read your post, i think it became clear...i thought that an ACE was a "subunit" of an ACL..i guess not :-)

so, because of the use of the object groups, What i want to do is not possible i dont think...

bruce

Bruce

ACL is the access-list as a whole

ACE is a single entry in the access-list

So for example if you had done this -

object-group network hostsx

network-object host 10.10.10.1

network-object host 10.10.10.2

etc..

network-object host 10.10.10.254

and then

access-list vlan1000 line 1 extended permit ip object-group hostsx object-group Y

then that would expand into 254 individual ACEs one for each host ie.

access-list vlan1000 permit ip host 10.10.10.1 object-group Y

access-list vlan1000 permit ip host 10.10.10.2 object-group Y

etc...

so in that case if only 10 hosts were actually being used then it would be worth removing the entries not in use from the object-group. But because you have used a network ie. 10.10.10.0 255.255.255.0 that doesn't expand into 254 entries, it is simply one entry ie. ACE so you don't get any benefit.

Jon

Bruce Summers · ‎01-23-2010

understood, and figured that was the case...

looks like i'm backed into a corner with this then...

thanks for the reply...

Bruce

Bruce Summers · ‎01-24-2010

I have another question concerning the ACL's.

with using the the subnets in the ACE rather than individual IP's within the subnet, should I see hit counts on the ACE's?

exp: object-group network X

network-object 10.10.10.10.0 255.255.255.0

object-group network Y

network object 192.168.1.0 255.255.255.0

sho access-list vlan1000

access-list vlan1000 line 70 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x6935d70

the outputs of the show access-list shows a zero hitcnt for every subnet ACE within my context...

So, my deduction is that even though there is a hit between, for example, 10.10.10.30 and 192.168.1.100, the output will always show a 0 hitcnt on the ACE...

is that a safe deduction?

bruce

Jon Marshall · ‎01-24-2010

bruce.summers wrote:

I have another question concerning the ACL's.

with using the the subnets in the ACE rather than individual IP's within the subnet, should I see hit counts on the ACE's?

exp: object-group network X

network-object 10.10.10.10.0 255.255.255.0

object-group network Y

network object 192.168.1.0 255.255.255.0

sho access-list vlan1000

access-list vlan1000 line 70 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x6935d70

the outputs of the show access-list shows a zero hitcnt for every subnet ACE within my context...

So, my deduction is that even though there is a hit between, for example, 10.10.10.30 and 192.168.1.100, the output will always show a 0 hitcnt on the ACE...

is that a safe deduction?

bruce

Bruce

You should see hitcounts on an ACE whether that ACE is using object-groups or not. Are you sure the traffic is not being allowed by another ACE in your acl that is before this one ?

Jon