2 Replies Latest reply on Jul 9, 2013 7:17 AM by noor

    Changing order of access-list and policy-classes - NV3400/4430 AOS

    tgilbert New Member

      Please, could anyone provide assistance with the questions below?

       

      1.  How does one change the order of an existing access-list or policy-class?

      2.  is there a way to insert a permit/deny statement into an access-list?

      3.  Similar to the previous question, but pertains to policy-class, is there way to insert an allow/discard statement into policy-class?

      4.  When do you recommend you the "allow list self self" statement?

       

      I cannot find anything in documentation specifying the reordering ACLs or ACPs.  Additionally, show commands do not render any hint of sequence numbers or indexes associated with entries in either ACLs or ACPs.  It appears, unlike Cisco routers, the only method to reorder lists or policies is to delete it and recreate it in the new order.  Consequently, this may lead to an interruption in service.  However, I posted these questions in case I am missing something.

       

      Appreciate your help!

        • Re: Changing order of access-list and policy-classes - NV3400/4430 AOS
          Employee

          tgilbert - Thanks for posting your question on the forum! In general, ACL and policy-classes are in order from top to bottom. I will answer your questions inline below:

           

          1.  How does one change the order of an existing access-list or policy-class?

          In the CLI, you are correct in that you must delete entries or recreate the list in order to make changes to the order of an access-list or policy-class. In the GUI, however, you have the option of re-ordering entries. For policy-classes, you would navigate to DATA->Security Zones, then click on the applicable security zone. For access-lists, you would navigate to DATA->Firewall/ACLs-> then click on 'Configure ACLs' where you would click on the applicable list and reorder the entries.

           

          2.  is there a way to insert a permit/deny statement into an access-list?

          Yes, however, it will require you to delete and re-add entries that you would like to place below the new entry that already have been configured. However, as I mentioned above, you can add a rule using the CLI or GUI, and then use the GUI to move that entry up in the list.

           

          3.  Similar to the previous question, but pertains to policy-class, is there way to insert an allow/discard statement into policy-class?

          This would be done in the same manner as the previous question.


          4.  When do you recommend you the "allow list self self" statement?

          This rule allows all traffic that matches the ACL self to reach an IP address that is assigned to the AOS device itself. If there is no ACL defined named self, then the ACL becomes a "permit any". We generally add this rule on the LAN (private interface) and removes the need to specify an access-policy.

           

          I hope this answers your questions, but please do not hesitate to let us know if you have any further questions.

           

          Thanks,

          Noor

          • Re: Changing order of access-list and policy-classes - NV3400/4430 AOS
            Employee

            tgilbert -

            I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

             


            Thanks,

            Noor