Resequencing ACL Entries

By stretch | Friday, April 30, 2010 at 3:59 a.m. UTC

IOS access list entries are numbered sequentially, starting from 10 and in intervals of 10. This is handy for inserting new entries into an existing ACL by specifying a leading number to indicate a new entry's position in the ACL. For example, assume you have the following ACL defined:

Extended IP access list Foo
    10 permit tcp any any eq www
    20 permit tcp any any eq 443
    30 permit udp any any eq domain
    40 deny ip any any log

If you wanted to insert a new entry between the first and second line, you can create the entry with a predetermined position. This example uses the number 15, but any number greater than 10 and less than 20 will work. 

Router(config)# ip access-list extended Foo
Router(config-ext-nacl)# 15 permit tcp any any eq 8080

Now the ACL looks like this:

Router# show ip access-lists
Extended IP access list Foo
    10 permit tcp any any eq www
    15 permit tcp any any eq 8080
    20 permit tcp any any eq 443
    30 permit udp any any eq domain
    40 deny ip any any log

While certainly handy, ACL numbering can quickly get out of hand if not applied strategically:

Router# show ip access-lists
Extended IP access list Foo
    1 permit ip host 10.0.23.23 any
    2 permit ip host 10.0.23.76 any
    4 permit ip host 10.0.22.144 any
    10 permit tcp any any eq www
    15 permit tcp any any eq 8080
    20 permit tcp any any eq 443
    30 permit udp any any eq domain
    40 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
    42 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
    999 deny ip any any log

It is important to note that ACL entry numbers are not written to the start-up configuration, so all sequencing information will be lost on reboot:

ip access-list extended Foo
 permit ip host 10.0.23.23 any
 permit ip host 10.0.23.76 any
 permit ip host 10.0.22.144 any
 permit tcp any any eq www
 permit tcp any any eq 8080
 permit tcp any any eq 443
 permit tcp any any eq 4343
 permit udp any any eq domain
 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
 deny   ip any any log

However, IOS includes a convenient command to resequence all entries in an ACL without a reboot and without recreating the ACL:

Router(config)# ip access-list resequence Foo ?
  <1-2147483647>  Starting Sequence Number

Router(config)# ip access-list resequence Foo 10 ?
  <1-2147483647>  Step to increment the sequence number

Router(config)# ip access-list resequence Foo 10 10
Router(config)# do show ip access-lists
Extended IP access list Foo
    10 permit ip host 10.0.23.23 any
    20 permit ip host 10.0.23.76 any
    30 permit ip host 10.0.22.144 any
    40 permit tcp any any eq www
    50 permit tcp any any eq 8080
    60 permit tcp any any eq 443
    70 permit tcp any any eq 4343
    80 permit udp any any eq domain
    90 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
    100 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
    110 deny ip any any log

The example above uses the default starting number and interval, however arbitrary values can be provided for both if you'd like a little more room to maneuver between entries:

Router(config)# ip access-list resequence Foo 100 50
Router(config)# do show ip access-lists
Extended IP access list Foo
    100 permit ip host 10.0.23.23 any
    150 permit ip host 10.0.23.76 any
    200 permit ip host 10.0.22.144 any
    250 permit tcp any any eq www
    300 permit tcp any any eq 8080
    350 permit tcp any any eq 443
    400 permit tcp any any eq 4343
    450 permit udp any any eq domain
    500 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
    550 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
    600 deny ip any any log

About the Author

Jeremy Stretch is a networking engineer and the maintainer of PacketLife.net. He currently lives in the Raleigh-Durham area of North Carolina. Although employed full-time out of necessity, his true passion lies in improving the field of network engineering around the world. You can contact him by email or follow him on Twitter.

Posted in Tips and Tricks

Comments

DrScriptt commented on Friday, April 30, 2010 at 4:43 a.m. UTC

Very interesting.

It is important to note that ACL entry numbers are not written to the start-up configuration, so all sequencing information will be lost on reboot:

Am I correct in assuming that a copy running-config startup-config will preserve the modified and / or resequenced ACL across (re)boots?

jvillalon (guest) commented on Friday, April 30, 2010 at 8:09 a.m. UTC

Very interesting.

nmaio (guest) commented on Friday, April 30, 2010 at 11:42 a.m. UTC

Wow, nice tip! That always bothered me.

Pressureman (guest) commented on Friday, April 30, 2010 at 11:43 a.m. UTC

Whilst the exact sequence numbers will not be preserved across reboots, the order of the ACL entries will. After rebooting, the ACL will have sequence numbers starting at 10 and incrementing by 10.

Strebzilla commented on Friday, April 30, 2010 at 1:09 p.m. UTC

Interesting. I've never noticed that the ACLs resequence after a reboot.

hunter_thom commented on Friday, April 30, 2010 at 2:15 p.m. UTC

Nice! I was not aware of a way to resequence the entries.

dantel commented on Friday, April 30, 2010 at 3:10 p.m. UTC

You can really tell who the anal folks are, the ones who notice and care about stuff like this.... me! Not going to make the network work any better but makes me feel better when stuff is organized more logically - I always shake my head when the engineers who manage one of our hosted firewalls never bother to order things nicely.

Thanks for the good tip

Colby commented on Friday, April 30, 2010 at 11:35 p.m. UTC

I always forget this command and Google for it when I need it. Good post.

aengleman commented on Saturday, May 1, 2010 at 1:00 a.m. UTC

Great tip!

lcpteck commented on Monday, May 3, 2010 at 2:34 a.m. UTC

Same here, didn't know there was a resequencer! WOOT!

gradgrind commented on Monday, May 3, 2010 at 1:51 p.m. UTC

Excellent. I've actually rebooted routers just to resequence. Good tip!

Andrew (guest) commented on Monday, May 3, 2010 at 6:03 p.m. UTC

Oh man - this is soooooo helpful!!! Many thanks, Stretch

DanC commented on Wednesday, May 5, 2010 at 9:55 a.m. UTC

Excellent tip! Keep up the good work Stretch :-)

dnewstat commented on Wednesday, May 5, 2010 at 2:51 p.m. UTC

Nice tip. Thanks! I just used it on some of my routers.

Shoeb (guest) commented on Sunday, May 9, 2010 at 8:14 p.m. UTC

Very helpful... here's another blogpost (by Ivan) which is helpful in making ACL's look organized - ACL object groups

raxhe (guest) commented on Monday, May 17, 2010 at 3:01 p.m. UTC

Gr8 !!!! many thnx !!! Keep up the good work !!!

ashish (guest) commented on Friday, October 29, 2010 at 10:55 a.m. UTC

Excellent post.. Stretch!! One slight digressive quess.. If you place an ACL on an interface (say f0)and try a "telnet Blah.. source-interface f0" does the ACL get involved(processed) ?

zbig (guest) commented on Friday, December 21, 2012 at 10:36 p.m. UTC

WoW!I was looking for option to resequence my acl's since the begining of my cisco adventure! Its so flippin' handy! Thanks!

Leave a Comment


Register to comment as a member. You'll look cooler.

Optional; will not be displayed publicly or given out.

No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
How many bytes in length is a UDP header?