Routing & Security

Well, it appears that Cisco IOS is slowly gaining features that I love on the ASA. Although I find the ASA is far superior when it comes to access-list technology, Cisco IOS is starting to make life easier in terms of updating and managing access-lists. One issue I always ran into when working with IOS ACL’s is the addition or deletion of the entries that made up the ACL. So a basic extended access-list would start like this:

Now, lets show the access-list which should reveal our line numbers.

Ok, so now we have been asked to deny some things and these entries must be between previous entered entries. On the ASA, it is no problem; we specify our new entry with a line number and can add or remove entries this way. No problem. Well, we can do this on IOS as well as this feature has been around for a while. So, let’s add some entries:

And lets view our new ACL again:

So, the issue I have had is running out of lines between the default line numbers (multiples of 10) in the acl. What happens if we need 9 more lines between entries 10 and 20. Well, we wouldn’t be able to do this because we would be out of line numbers. Now this is an issue since we don’t want to take the ACL off the interface and install the new ACL since downtime will occur and security vulnerabilities may surface during that window, not to mention other issues.

Well, Cisco has given us a command called resequence. By implementing this, our line numbers can be resequenced and changed so we can add more entries if needed. The command syntax is shown below. There are two arguements that we can enter with this command. The first is “starting sequence number” and the second is “step to increment sequence number”. The first arguement determines where in the access-list we want to start the resequence. Most times a number of 1o will be used since this is our first line. The second number is the incremental value that is to be applied to the first line number in the list, resulting in new line numbers for the entry.

So the above line is going to resort our access-list acl_resequenced starting at line 10 and will increment the line numbers by 20. Let’s verify the result

Well, that will work and will solve our issue for needing more than the 9 extra entries we needed between lines 10 and 20 earlier.

So now if only we could implement the addition of remark statements to the extended access-list using line numbers. Unfortunately, the functionality of IOS access-lists has been improved with the use of the resequence sub-command but making our own remarks for managment (ease of use) is still lacking. We can insert remarks, but they will always drop down to the bottom the acl. Look below:

And if we show our access-list extend, we don’t even see the remark statement:

However, it does sh up in our run command:

So the access-list subcommand “resequence” can help us if we need to keep our access-list functional and organized better if many changes are needed in IOS. The ASA on the otherhand, is much more powerful and easier to use. I prefer the ASA in this regard.