Security Configuration Guide: Access Control Lists, Cisco IOS XE Release 3E
IP Access List Entry Sequence Numbering
Downloads: This chapterpdf (PDF - 1.35MB) The complete bookPDF (PDF - 2.67MB) | The complete bookePub (ePub - 257.0KB) | Feedback

IP Access List Entry Sequence Numbering

Contents

IP Access List Entry Sequence Numbering

Users can apply sequence numbers to permit or deny statements and also reorder, add, or remove such statements from a named IP access list. This feature makes revising IP access lists much easier. Prior to this feature, users could add access list entries to the end of an access list only; therefore needing to add statements anywhere except the end required reconfiguring the access list entirely.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for IP Access List Entry Sequence Numbering

  • This feature does not support dynamic, reflexive, or firewall access lists.
  • This feature does not support old-style numbered access lists, which existed before named access lists. Keep in mind that you can name an access list with a number, so numbers are allowed when they are entered in the standard or extended named access list (NACL) configuration mode.

Information About IP Access List Entry Sequence Numbering

Purpose of IP Access Lists

Access lists perform packet filtering to control which packets move through the network and where. Such control can help limit network traffic and restrict the access of users and devices to the network. Access lists have many uses, and therefore many commands accept a reference to an access list in their command syntax. Access lists can be used to do the following:

  • Filter incoming packets on an interface.
  • Filter outgoing packets on an interface.
  • Restrict the contents of routing updates.
  • Limit debug output based on an address or protocol.
  • Control virtual terminal line access.
  • Identify or classify traffic for advanced features, such as congestion avoidance, congestion management, and priority and custom queuing.
  • Trigger dial-on-demand routing (DDR) calls.

How an IP Access List Works

An access list is a sequential list consisting of at least one permit statement and possibly one or more deny statements that apply to IP addresses and possibly upper-layer IP protocols. The access list has a name by which it is referenced. Many software commands accept an access list as part of their syntax.

An access list can be configured and named, but it is not in effect until the access list is referenced by a command that accepts an access list. Multiple commands can reference the same access list. An access list can control traffic arriving at the device or leaving the device, but not traffic originating at the device.

IP Access List Process and Rules

  • The software tests the source or destination address or the protocol of each packet being filtered against the conditions in the access list, one condition (permit or deny statement) at a time.
  • If a packet does not match an access list statement, the packet is then tested against the next statement in the list.
  • If a packet and an access list statement match, the rest of the statements in the list are skipped and the packet is permitted or denied as specified in the matched statement. The first entry that the packet matches determines whether the software permits or denies the packet. That is, after the first match, no subsequent entries are considered.
  • If the access list denies the address or protocol, the software discards the packet and returns an ICMP Host Unreachable message.
  • If no conditions match, the software drops the packet. This is because each access list ends with an unwritten or implicit deny statement. That is, if the packet has not been permitted by the time it was tested against each statement, it is denied.
  • The access list must contain at least one permit statement or else all packets are denied.
  • Because the software stops testing conditions after the first match, the order of the conditions is critical. The same permit or deny statements specified in a different order could result in a packet being passed under one circumstance and denied in another circumstance.
  • If an access list is referenced by name in a command, but the access list does not exist, all packets pass.
  • Only one access list per interface, per protocol, per direction is allowed.
  • Inbound access lists process packets arriving at the device. Incoming packets are processed before being routed to an outbound interface. An inbound access list is efficient because it saves the overhead of routing lookups if the packet is to be discarded because it is denied by the filtering tests. If the packet is permitted by the tests, it is then processed for routing. For inbound lists, permit means continue to process the packet after receiving it on an inbound interface; deny means discard the packet.
  • Outbound access lists process packets before they leave the device. Incoming packets are routed to the outbound interface and then processed through the outbound access list. For outbound lists, permit means send it to the output buffer; deny means discard the packet.

Helpful Hints for Creating IP Access Lists

  • Create the access list before applying it to an interface. An interface with an empty access list applied to it permits all traffic.
  • Another reason to configure an access list before applying it is because if you applied a nonexistent access list to an interface and then proceed to configure the access list, the first statement is put into effect, and the implicit deny statement that follows could cause you immediate access problems.
  • Because the software stops testing conditions after it encounters the first match (to either a permit or deny statement), you will reduce processing time and resources if you put the statements that packets are most likely to match at the beginning of the access list. Place more frequently occurring conditions before less frequent conditions.
  • Organize your access list so that more specific references in a network or subnet appear before more general ones.
  • In order to make the purpose of individual statements more easily understood at a glance, you can write a helpful remark before or after any statement.

Source and Destination Addresses

Source and destination address fields in an IP packet are two typical fields on which to base an access list. Specify source addresses to control the packets being sent from certain networking devices or hosts. Specify destination addresses to control the packets being sent to certain networking devices or hosts.

Wildcard Mask and Implicit Wildcard Mask

When comparing the address bits in an access list entry to a packet being submitted to the access list, address filtering uses wildcard masking to determine whether to check or ignore the corresponding IP address bits. By carefully setting wildcard masks, an administrator can select one or more IP addresses for permit or deny tests.

Wildcard masking for IP address bits uses the number 1 and the number 0 to specify how the software treats the corresponding IP address bits. A wildcard mask is sometimes referred to as an inverted mask because a 1 and 0 mean the opposite of what they mean in a subnet (network) mask.

  • A wildcard mask bit 0 means check the corresponding bit value.
  • A wildcard mask bit 1 means ignore that corresponding bit value.

If you do not supply a wildcard mask with a source or destination address in an access list statement, the software assumes a default wildcard mask of 0.0.0.0.

Unlike subnet masks, which require contiguous bits indicating network and subnet to be ones, wildcard masks allow noncontiguous bits in the mask.

Transport Layer Information

You can filter packets based on transport layer information, such as whether the packet is a TCP, UDP, Internet Control Message Protocol (ICMP) or Internet Group Management Protocol (IGMP) packet.

IP Access List Entry Sequence Numbering

Benefits

The ability to apply sequence numbers to IP access list entries simplifies access list changes. Prior to the IP Access List Entry Sequence Numbering feature, there was no way to specify the position of an entry within an access list. If a user wanted to insert an entry (statement) in the middle of an existing list, all of the entries after the desired position had to be removed, then the new entry was added, and then all the removed entries had to be reentered. This method was cumbersome and error prone.

This feature allows users to add sequence numbers to access list entries and resequence them. When a user adds a new entry, the user chooses the sequence number so that it is in a desired position in the access list. If necessary, entries currently in the access list can be resequenced to create room to insert the new entry.

Sequence Numbering Behavior

  • For backward compatibility with previous releases, if entries with no sequence numbers are applied, the first entry is assigned a sequence number of 10, and successive entries are incremented by 10. The maximum sequence number is 2147483647. If the generated sequence number exceeds this maximum number, the following message is displayed:
	Exceeded maximum sequence number.
  • If you enter an entry without a sequence number, it is assigned a sequence number that is 10 greater than the last sequence number in that access list and is placed at the end of the list.
  • If you enter an entry that matches an already existing entry (except for the sequence number), then no changes are made.
  • If you enter a sequence number that is already present, the following error message is generated:
	Duplicate sequence number.
  • If a new access list is entered from global configuration mode, then sequence numbers for that access list are generated automatically.
  • Distributed support is provided so that the sequence numbers of entries in the Route Processor (RP) and line card (LC) are always synchronized.
  • Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is reloaded, the configured sequence numbers revert to the default sequence starting number and increment from that number. The function is provided for backward compatibility with software releases that do not support sequence numbering.
  • The IP Access List Entry Sequence Numbering feature works with named standard and extended IP access lists. Because the name of an access list can be designated as a number, numbers are acceptable.

How to Use Sequence Numbers in an IP Access List

Sequencing Access-List Entries and Revising the Access List

This task shows how to assign sequence numbers to entries in a named IP access list and how to add or delete an entry to or from an access list. It is assumed a user wants to revise an access list. The context of this task is the following:

  • A user need not resequence access lists for no reason; resequencing in general is optional. The resequencing step in this task is shown as required because that is one purpose of this feature and this task demonstrates the feature.
  • Step 5 happens to be a permit statement and Step 6 happens to be a deny statement, but they need not be in that order.
SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ip access-list resequence access-list-name starting-sequence-number increment

    4.    ip access-list {standard| extended} access-list-name

    5.    Do one of the following:

    • sequence-number permit source source-wildcard
    • sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence][tos tos] [log] [time-range time-range-name] [fragments]

    6.    Do one of the following:

    • sequence-number deny source source-wildcard
    • sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence][tos tos] [log] [time-range time-range-name] [fragments]

    7.    Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.

    8.    end

    9.    show ip access-lists access-list-name


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode. Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 ip access-list resequence access-list-name starting-sequence-number increment


    Example:
    Device(config)# ip access-list resequence kmd1 100 15
     

    Resequences the specified IP access list using the starting sequence number and the increment of sequence numbers.

    • This example resequences an access list named kmd1. The starting sequence number is 100 and the increment is 15.
     
    Step 4 ip access-list {standard| extended} access-list-name


    Example:
    Device(config)# ip access-list standard kmd1
     

    Specifies the IP access list by name and enters named access list configuration mode.

    • If you specify standard, make sure you subsequently specify permit and/or deny statements using the standard access list syntax.
    • If you specify extended, make sure you subsequently specify permit and/or deny statements using the extended access list syntax.
     
    Step 5Do one of the following:
    • sequence-number permit source source-wildcard
    • sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence][tos tos] [log] [time-range time-range-name] [fragments]


    Example:
    Device(config-std-nacl)# 105 permit 10.5.5.5 0.0.0 255
     

    Specifies a permit statement in named IP access list mode.

    • This access list happens to use a permitstatement first, but a deny statement could appear first, depending on the order of statements you need.
    • See the permit (IP) command for additional command syntax to permit upper layer protocols (ICMP, IGMP, TCP, and UDP).
    • Use the no sequence-number command to delete an entry.
    • As the prompt indicates, this access list was a standard access list. If you had specified extended in Step 4, the prompt for this step would be Device(config-ext-nacl) and you would use the extended permit command syntax.
     
    Step 6Do one of the following:
    • sequence-number deny source source-wildcard
    • sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence][tos tos] [log] [time-range time-range-name] [fragments]


    Example:
    Device(config-std-nacl)# 105 deny 10.6.6.7 0.0.0 255
     

    (Optional) Specifies a deny statement in named IP access list mode.

    • This access list happens to use a permitstatement first, but a deny statement could appear first, depending on the order of statements you need.
    • See the deny (IP) command for additional command syntax to permit upper layer protocols (ICMP, IGMP, TCP, and UDP).
    • Use the no sequence-number command to delete an entry.
    • As the prompt indicates, this access list was a standard access list. If you had specified extended in Step 4, the prompt for this step would be Device(config-ext-nacl) and you would use the extended deny command syntax.
     
    Step 7 Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. 

    Allows you to revise the access list.

     
    Step 8 end


    Example:
    Device(config-std-nacl)# end
     

    (Optional) Exits the configuration mode and returns to privileged EXEC mode.

     
    Step 9 show ip access-lists access-list-name


    Example:
    Device# show ip access-lists kmd1
     

    (Optional) Displays the contents of the IP access list.

    • Review the output to see that the access list includes the new entry.
    Device# show ip access-lists kmd1
    Standard IP access list kmd1
    100 permit 10.4.4.0, wildcard bits 0.0.0.255
    105 permit 10.5.5.0, wildcard bits 0.0.0.255
    115 permit 10.0.0.0, wildcard bits 0.0.0.255
    130 permit 10.5.5.0, wildcard bits 0.0.0.255
    145 permit 10.0.0.0, wildcard bits 0.0.0.255
     

    What to Do Next

    If your access list is not already applied to an interface or line or otherwise referenced, apply the access list. Refer to the “Configuring IP Services” chapter of the Cisco IOS IP Configuration Guide for information about how to apply an IP access list.

    Configuration Examples for IP Access List Entry Sequence Numbering

    Example: Resequencing Entries in an Access List

    The following example shows access list resequencing. The starting value is 1, and increment value is 2. The subsequent entries are ordered based on the increment values that users provide, and the range is from 1 to 2147483647.

    When an entry with no sequence number is entered, by default it has a sequence number of 10 more than the last entry in the access list.

    Device# show access-list 150
    Extended IP access list 150
        10 permit ip host 10.3.3.3 host 172.16.5.34
        20 permit icmp any any
        30 permit tcp any host 10.3.3.3
        40 permit ip host 10.4.4.4 any
        50 Dynamic test permit ip any any
        60 permit ip host 172.16.2.2 host 10.3.3.12
        70 permit ip host 10.3.3.3 any log
        80 permit tcp host 10.3.3.3 host 10.1.2.2
        90 permit ip host 10.3.3.3 any
        100 permit ip any any
    Device(config)# ip access-list extended 150
    Device(config)# ip access-list resequence 150 1 2 
    Device(config)# end
    Device# show access-list 150
    Extended IP access list 150
        1 permit ip host 10.3.3.3 host 172.16.5.34
        3 permit icmp any any
        5 permit tcp any host 10.3.3.3
        7 permit ip host 10.4.4.4 any
        9 Dynamic test permit ip any any
        11 permit ip host 172.16.2.2 host 10.3.3.12
        13 permit ip host 10.3.3.3 any log
        15 permit tcp host 10.3.3.3 host 10.1.2.2
        17 permit ip host 10.3.3.3 any
        19 permit ip any any

    Example: Adding Entries with Sequence Numbers

    In the following example, a new entry is added to a specified access list:

    Device# show ip access-list
    Standard IP access list tryon
    2 permit 10.4.4.2, wildcard bits 0.0.255.255
    5 permit 10.0.0.44, wildcard bits 0.0.0.255
    10 permit 10.0.0.1, wildcard bits 0.0.0.255
    20 permit 10.0.0.2, wildcard bits 0.0.0.255
    Device(config)# ip access-list standard tryon
    Device(config-std-nacl)# 15 permit 10.5.5.5 0.0.0.255
    Device# show ip access-list
    Standard IP access list tryon
    2 permit 10.4.0.0, wildcard bits 0.0.255.255
    5 permit 10.0.0.0, wildcard bits 0.0.0.255
    10 permit 10.0.0.0, wildcard bits 0.0.0.255
    15 permit 10.5.5.0, wildcard bits 0.0.0.255
    20 permit 10.0.0.0, wildcard bits 0.0.0.255

    Example: Entry without Sequence Number

    The following example shows how an entry with no specified sequence number is added to the end of an access list. When an entry is added without a sequence number, it is automatically given a sequence number that puts it at the end of the access list. Because the default increment is 10, the entry will have a sequence number 10 higher than the last entry in the existing access list.

    Device(config)# ip access-list standard 1
    Device(config-std-nacl)# permit 1.1.1.1 0.0.0.255
    Device(config-std-nacl)# permit 2.2.2.2 0.0.0.255
    Device(config-std-nacl)# permit 3.3.3.3 0.0.0.255
    Device# show access-list
    Standard IP access list 1
    10 permit 0.0.0.0, wildcard bits 0.0.0.255
    20 permit 0.0.0.0, wildcard bits 0.0.0.255
    30 permit 0.0.0.0, wildcard bits 0.0.0.255
    Device(config)# ip access-list standard 1
    Device(config-std-nacl)# permit 4.4.4.4 0.0.0.255
    Device(config-std-nacl)# end
    Device# show access-list
    Standard IP access list 1
    10 permit 0.0.0.0, wildcard bits 0.0.0.255
    20 permit 0.0.0.0, wildcard bits 0.0.0.255
    30 permit 0.0.0.0, wildcard bits 0.0.0.255
    40 permit 0.4.0.0, wildcard bits 0.0.0.255

    Additional References for IP Access List Entry Sequence Numbering

    The following sections provide references related to IP access lists.

    Related Documents

    Technical Assistance

    Description

    Link

    The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

    To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

    Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​techsupport

    Feature Information for IP Access List Entry Sequence Numbering

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 1 Feature Information for IP Access List Entry Sequence Numbering

    Feature Name

    Releases

    Feature Information

    IP Access List Entry Sequence Numbering

    Cisco IOS XE 3.6E

    Users can apply sequence numbers to permit or deny statements and also reorder, add, or remove such statements from a named IP access list. This feature makes revising IP access lists much easier. Prior to this feature, users could add access list entries to the end of an access list only; therefore needing to add statements anywhere except the end required reconfiguring the access list entirely.

    In , Cisco IOS XE 3.6E, support was added for the Cisco Catalyst 3850 Series Switches.

    The following commands were introduced or modified: deny (IP), ip access-list resequence deny (IP), permit (IP).