01-23-2010 03:45 PM - edited 03-11-2019 10:00 AM
Is it possible to remove an ACE that is encompassed by an ACL?
exp: access-list vlan1000 line 1 extended permit ip object-group X object-group Y
object-group network X
network-object 10.10.10.0 255.255.255.0
object-group network Y
network-object 192.168.1.0 255.255.255.0
in the scenario above, I have 30 IP's in use in the 10.10.10.0, spread across the class C (ie. 10.10.10.10, 10.10.10.30, 10.10.10.70, 10.10.10.135 etc...)
I want to keep the /24 intact, but i would like to remove those IP's in that class C that arent being used...
I know, it sounds silly, but what i've ran into, is over the course of time, some of my object-groups/acl combinations have grown so large, that i'm against the max allowable ACE's in my context (running multi context mode on FWSM 3.2.2)
I dont see a way around this problem, with the exception of reducing the number of partitions (did that already, currently at 6 acl partitions and each have virtual contexts created in them) OR removing some of the 0 hitcnt ACE's...
any ideas would be greatly appreciated...
Bruce
Solved! Go to Solution.
01-23-2010 03:50 PM
bruce.summers wrote:
Is it possible to remove an ACE that is encompassed by an ACL?
exp: access-list vlan1000 line 1 extended permit ip object-group X object-group Y
object-group network X
network-object 10.10.10.0 255.255.255.0
object-group network Y
network-object 192.168.1.0 255.255.255.0
in the scenario above, I have 30 IP's in use in the 10.10.10.0, spread across the class C (ie. 10.10.10.10, 10.10.10.30, 10.10.10.70, 10.10.10.135 etc...)
I want to keep the /24 intact, but i would like to remove those IP's in that class C that arent being used...
I know, it sounds silly, but what i've ran into, is over the course of time, some of my object-groups/acl combinations have grown so large, that i'm against the max allowable ACE's in my context (running multi context mode on FWSM 3.2.2)
I dont see a way around this problem, with the exception of reducing the number of partitions (did that already, currently at 6 acl partitions and each have virtual contexts created in them) OR removing some of the 0 hitcnt ACE's...
any ideas would be greatly appreciated...
Bruce
Bruce
Not sure what you mean. Your example -
access-list vlan1000 line 1 extended permit ip object-group X object-group Y
only amounts to one ace because you have defined network objects rather than individual host entries.
I think i may have misunderstood the question.
Jon
01-23-2010 03:50 PM
bruce.summers wrote:
Is it possible to remove an ACE that is encompassed by an ACL?
exp: access-list vlan1000 line 1 extended permit ip object-group X object-group Y
object-group network X
network-object 10.10.10.0 255.255.255.0
object-group network Y
network-object 192.168.1.0 255.255.255.0
in the scenario above, I have 30 IP's in use in the 10.10.10.0, spread across the class C (ie. 10.10.10.10, 10.10.10.30, 10.10.10.70, 10.10.10.135 etc...)
I want to keep the /24 intact, but i would like to remove those IP's in that class C that arent being used...
I know, it sounds silly, but what i've ran into, is over the course of time, some of my object-groups/acl combinations have grown so large, that i'm against the max allowable ACE's in my context (running multi context mode on FWSM 3.2.2)
I dont see a way around this problem, with the exception of reducing the number of partitions (did that already, currently at 6 acl partitions and each have virtual contexts created in them) OR removing some of the 0 hitcnt ACE's...
any ideas would be greatly appreciated...
Bruce
Bruce
Not sure what you mean. Your example -
access-list vlan1000 line 1 extended permit ip object-group X object-group Y
only amounts to one ace because you have defined network objects rather than individual host entries.
I think i may have misunderstood the question.
Jon
01-23-2010 03:59 PM
you understood correctly...
maybe I misunderstand ACE's vs ACL's...
but, now that i read your post, i think it became clear...i thought that an ACE was a "subunit" of an ACL..i guess not :-)
so, because of the use of the object groups, What i want to do is not possible i dont think...
bruce
01-23-2010 04:08 PM
bruce.summers wrote:
you understood correctly...
maybe I misunderstand ACE's vs ACL's...
but, now that i read your post, i think it became clear...i thought that an ACE was a "subunit" of an ACL..i guess not :-)
so, because of the use of the object groups, What i want to do is not possible i dont think...
bruce
Bruce
ACL is the access-list as a whole
ACE is a single entry in the access-list
So for example if you had done this -
object-group network hostsx
network-object host 10.10.10.1
network-object host 10.10.10.2
etc..
network-object host 10.10.10.254
and then
access-list vlan1000 line 1 extended permit ip object-group hostsx object-group Y
then that would expand into 254 individual ACEs one for each host ie.
access-list vlan1000 permit ip host 10.10.10.1 object-group Y
access-list vlan1000 permit ip host 10.10.10.2 object-group Y
etc...
so in that case if only 10 hosts were actually being used then it would be worth removing the entries not in use from the object-group. But because you have used a network ie. 10.10.10.0 255.255.255.0 that doesn't expand into 254 entries, it is simply one entry ie. ACE so you don't get any benefit.
Jon
01-23-2010 04:12 PM
understood, and figured that was the case...
looks like i'm backed into a corner with this then...
thanks for the reply...
Bruce
01-24-2010 07:05 AM
I have another question concerning the ACL's.
with using the the subnets in the ACE rather than individual IP's within the subnet, should I see hit counts on the ACE's?
exp: object-group network X
network-object 10.10.10.10.0 255.255.255.0
object-group network Y
network object 192.168.1.0 255.255.255.0
sho access-list vlan1000
access-list vlan1000 line 70 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x6935d70
the outputs of the show access-list shows a zero hitcnt for every subnet ACE within my context...
So, my deduction is that even though there is a hit between, for example, 10.10.10.30 and 192.168.1.100, the output will always show a 0 hitcnt on the ACE...
is that a safe deduction?
bruce
01-24-2010 08:36 AM
bruce.summers wrote:
I have another question concerning the ACL's.
with using the the subnets in the ACE rather than individual IP's within the subnet, should I see hit counts on the ACE's?
exp: object-group network X
network-object 10.10.10.10.0 255.255.255.0
object-group network Y
network object 192.168.1.0 255.255.255.0
sho access-list vlan1000
access-list vlan1000 line 70 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x6935d70
the outputs of the show access-list shows a zero hitcnt for every subnet ACE within my context...
So, my deduction is that even though there is a hit between, for example, 10.10.10.30 and 192.168.1.100, the output will always show a 0 hitcnt on the ACE...
is that a safe deduction?
bruce
Bruce
You should see hitcounts on an ACE whether that ACE is using object-groups or not. Are you sure the traffic is not being allowed by another ACE in your acl that is before this one ?
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: