Resequencing ACL Entries

By stretch | Friday, April 30, 2010 at 3:59 a.m. UTC

IOS access list entries are numbered sequentially, starting from 10 and in intervals of 10. This is handy for inserting new entries into an existing ACL by specifying a leading number to indicate a new entry's position in the ACL. For example, assume you have the following ACL defined: Extended IP access list Foo 10 permit tcp any any eq www 20 permit tcp any any eq 443 30 permit udp any any eq domain 40 deny ip any any log If you wanted to insert a new entry between the first and second line, you can create the entry with a predetermined position. This example uses the number 15, but any number greater than 10 and less than 20 will work. Router(config)# ip access-list extended Foo Router(config-ext-nacl)# 15 permit tcp any any eq 8080 Now the ACL looks like this: Router# show ip access-lists Extended IP access list Foo 10 permit tcp any any eq www 15 permit tcp any any eq 8080 20 permit tcp any any eq 443 30 permit udp any any eq domain 40 deny ip any any log While certainly handy, ACL numbering can quickly get out of hand if not applied strategically: Router# show ip access-lists Extended IP access list Foo 1 permit ip host 10.0.23.23 any 2 permit ip host 10.0.23.76 any 4 permit ip host 10.0.22.144 any 10 permit tcp any any eq www 15 permit tcp any any eq 8080 20 permit tcp any any eq 443 30 permit udp any any eq domain 40 permit tcp 10.0.8.0 0.0.3.255 any eq smtp 42 permit tcp 10.0.12.0 0.0.1.255 any eq smtp 999 deny ip any any log It is important to note that ACL entry numbers are not written to the start-up configuration, so all sequencing information will be lost on reboot: ip access-list permit ip host permit ip host permit ip host permit tcp any permit tcp any permit tcp any extended Foo 10.0.23.23 any 10.0.23.76 any 10.0.22.144 any any eq www any eq 8080 any eq 443

http://packetlife.net/blog/2010/apr/30/resequencing-acl-entries/

Page 1

permit permit permit permit deny

tcp any any eq 4343 udp any any eq domain tcp 10.0.8.0 0.0.3.255 any eq smtp tcp 10.0.12.0 0.0.1.255 any eq smtp ip any any log

However, IOS includes a convenient command to resequence all entries in an ACL without a reboot and without recreating the ACL: Router(config)# ip access-list resequence Foo ? <1-2147483647> Starting Sequence Number Router(config)# ip access-list resequence Foo 10 ? <1-2147483647> Step to increment the sequence number Router(config)# ip access-list resequence Foo 10 10 Router(config)# do show ip access-lists Extended IP access list Foo 10 permit ip host 10.0.23.23 any 20 permit ip host 10.0.23.76 any 30 permit ip host 10.0.22.144 any 40 permit tcp any any eq www 50 permit tcp any any eq 8080 60 permit tcp any any eq 443 70 permit tcp any any eq 4343 80 permit udp any any eq domain 90 permit tcp 10.0.8.0 0.0.3.255 any eq smtp 100 permit tcp 10.0.12.0 0.0.1.255 any eq smtp 110 deny ip any any log The example above uses the default starting number and interval, however arbitrary values can be provided for both if you'd like a little more room to maneuver between entries: Router(config)# ip access-list resequence Foo 100 50 Router(config)# do show ip access-lists Extended IP access list Foo 100 permit ip host 10.0.23.23 any 150 permit ip host 10.0.23.76 any 200 permit ip host 10.0.22.144 any 250 permit tcp any any eq www 300 permit tcp any any eq 8080 350 permit tcp any any eq 443 400 permit tcp any any eq 4343 450 permit udp any any eq domain 500 permit tcp 10.0.8.0 0.0.3.255 any eq smtp 550 permit tcp 10.0.12.0 0.0.1.255 any eq smtp 600 deny ip any any log Posted in Tips and Tricks

http://packetlife.net/blog/2010/apr/30/resequencing-acl-entries/

Page 2