ACL Editing

Let say you create the following numbered extended access-list:

access-list 123 permit tcp any any eq www
access-list 123 permit udp any any eq 54
access-list 123 permit tcp any any eq smtp
access-list 123 permit tcp any any eq pop3
access-list 123 permit udp any any eq syslog

As you type in the last line you release you made a typo, by entering UDP-54 instead of UDP-53. This is likely why most of us prefer using Named-ACL’s, because without sequence numbers in the ACL you can not remove that one entry, you have to remove the whole ACL. Although Named-ACL’s are handy, there are still times when you have to use a Numbered-ACL.

Continue reading “ACL Editing”

ACL Object-groups now on Cisco IOS

A week of standby and late shift is not really permitting of time to blog.

Cisco IOS 12.4(20)T, have some neat new features. One in particular that I’m very excited about, is ACL Obect-groups. Object-groups were very popular and widely used on  PIX-OS.  It minimizes complex and large ACL configurations, in production environment tremendously.

Being able to group ACE entries into groups, you can easily, add/remove entries, while maintaining ordered and more readable ACL structure, while keeping the time spend on changes to a minimum. It provides a simple and intuitive mechanism for configuring and managing large ACLs, especially ones that frequently change.

You have two types of objects-groups: network object groups and service object groups.

Continue reading “ACL Object-groups now on Cisco IOS”