Posted by: Richard @ Configureterminal.com | May 21, 2008

Is this for the obsessive?

A useful command I thought I would quickly post about can be found below.  I didn’t know about this one before my CCIE studies; forgive me if this is well-known command to readers of this blog, i.e. my colleague had used this in the past:

BEFORE (An “Outside” ACL):

sho ip access-lists F4_In
Extended IP access list F4_In
    10 permit udp any any range bootps bootpc
    20 permit udp any any eq non500-isakmp
    30 permit udp any any eq isakmp
    40 permit esp any any
    50 permit ahp any any
    60 deny ip 10.0.0.0 0.255.255.255 any
    70 deny ip 172.16.0.0 0.15.255.255 any
    80 deny ip 192.168.0.0 0.0.255.255 any
    90 deny ip 127.0.0.0 0.255.255.255 any
    100 deny ip host 255.255.255.255 any
    110 deny ip host 0.0.0.0 any
    120 deny ip 192.0.2.0 0.0.0.255 any
    130 deny ip 224.0.0.0 31.255.255.255 any
    140 permit tcp any any eq ftp log
    150 permit tcp any any eq www
    160 permit tcp any any eq 443
    170 permit tcp any any eq 5500 log
    180 deny ip any any log


I want to do some SIP telephony testing @ home:

conf t
ip access-list extended F4_In
    171 permit udp any any eq 5004 log
    172 permit udp any any eq 5006 log
    173 permit udp any any eq 5060 log
    174 permit udp any any eq 5062 log
    175 permit udp any any eq 5500 log
    176 permit udp any any eq 10000 log
    177 permit udp any any range 20000 20110 log

sho ip access-lists F4_In
Extended IP access list F4_In
    10 permit udp any any range bootps bootpc
    20 permit udp any any eq non500-isakmp
    30 permit udp any any eq isakmp
    40 permit esp any any
    50 permit ahp any any
    60 deny ip 10.0.0.0 0.255.255.255 any
    70 deny ip 172.16.0.0 0.15.255.255 any
    80 deny ip 192.168.0.0 0.0.255.255 any
    90 deny ip 127.0.0.0 0.255.255.255 any
    100 deny ip host 255.255.255.255 any
    110 deny ip host 0.0.0.0 any
    120 deny ip 192.0.2.0 0.0.0.255 any
    130 deny ip 224.0.0.0 31.255.255.255 any
    140 permit tcp any any eq ftp log
    150 permit tcp any any eq www
    160 permit tcp any any eq 443
    170 permit tcp any any eq 5500 log
    171 permit udp any any eq 5004 log
    172 permit udp any any eq 5006 log
    173 permit udp any any eq 5060 log
    174 permit udp any any eq 5062 log
    175 permit udp any any eq 5500 log
    176 permit udp any any eq 10000 log
    177 permit udp any any range 20000 20110 log
    180 deny ip any any log


“Not much room for adding lines in the future”, “ACE line numbers not perfectly in sequence” (I’m a bit of a perfectionist – sadly, things like that really bug me!)

A command that can help keep my illness quiet:

ip access-list resequence F4_In 10 10

Explanation: “Take the first entry of the ACL named “F4_In” and give it a sequence number of 10 and then increment sequence numbers by 10 for each of the following lines of the ACL”

AFTER:

sho ip access-lists F0/0_In
Extended IP access list F0/0_In
    10 permit udp any any eq non500-isakmp
    20 permit udp any any eq isakmp
    30 permit esp any any
    40 permit ahp any any
    50 deny ip 10.0.0.0 0.255.255.255 any
    60 deny ip 172.16.0.0 0.15.255.255 any
    70 deny ip 192.168.0.0 0.0.255.255 any
    80 deny ip 127.0.0.0 0.255.255.255 any
    90 deny ip host 255.255.255.255 any
    100 deny ip host 0.0.0.0 any
    110 deny ip 192.0.2.0 0.0.0.255 any
    120 deny ip 224.0.0.0 31.255.255.255 any
    130 permit tcp any any eq ftp log
    140 permit tcp any any eq www
    150 permit tcp any any eq 443
    160 permit tcp any any eq 5500 log
    170 permit udp any any eq 5004 log
    180 permit udp any any eq 5006 log
    190 permit udp any any eq 5060 log
    200 permit udp any any eq 5062 log
    210 permit udp any any eq 5500 log
    220 permit udp any any eq 10000 log
    230 permit udp any any range 20000 20110 log
    240 deny ip any any log


Much better!
J

Off course, I do know this command does have its real-world uses….

Advertisements

Responses

  1. I have not seen this one yet….very nice. Wish I had seen this one a couple days ago.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: