Resequencing ACL Entries

By stretch | Friday, April 30, 2010 at 3:59 a.m. UTC

IOS access list entries are numbered sequentially, starting from 10 and in intervals of 10. This is handy for inserting new entries into an existing ACL by specifying a leading number to indicate a new entry's position in the ACL. For example, assume you have the following ACL defined:

Extended IP access list Foo
    10 permit tcp any any eq www
    20 permit tcp any any eq 443
    30 permit udp any any eq domain
    40 deny ip any any log

If you wanted to insert a new entry between the first and second line, you can create the entry with a predetermined position. This example uses the number 15, but any number greater than 10 and less than 20 will work.

Router(config)# ip access-list extended Foo
Router(config-ext-nacl)# 15 permit tcp any any eq 8080

Now the ACL looks like this:

Router# show ip access-lists
Extended IP access list Foo
    10 permit tcp any any eq www
    15 permit tcp any any eq 8080
    20 permit tcp any any eq 443
    30 permit udp any any eq domain
    40 deny ip any any log

While certainly handy, ACL numbering can quickly get out of hand if not applied strategically:

Router# show ip access-lists
Extended IP access list Foo
    1 permit ip host 10.0.23.23 any
    2 permit ip host 10.0.23.76 any
    4 permit ip host 10.0.22.144 any
    10 permit tcp any any eq www
    15 permit tcp any any eq 8080
    20 permit tcp any any eq 443
    30 permit udp any any eq domain
    40 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
    42 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
    999 deny ip any any log

It is important to note that ACL entry numbers are not written to the start-up configuration, so all sequencing information will be lost on reboot:

ip access-list extended Foo
 permit ip host 10.0.23.23 any
 permit ip host 10.0.23.76 any
 permit ip host 10.0.22.144 any
 permit tcp any any eq www
 permit tcp any any eq 8080
 permit tcp any any eq 443
 permit tcp any any eq 4343
 permit udp any any eq domain
 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
 deny   ip any any log

However, IOS includes a convenient command to resequence all entries in an ACL without a reboot and without recreating the ACL:

Router(config)# ip access-list resequence Foo ?
  <1-2147483647>  Starting Sequence Number

Router(config)# ip access-list resequence Foo 10 ?
  <1-2147483647>  Step to increment the sequence number

Router(config)# ip access-list resequence Foo 10 10
Router(config)# do show ip access-lists
Extended IP access list Foo
    10 permit ip host 10.0.23.23 any
    20 permit ip host 10.0.23.76 any
    30 permit ip host 10.0.22.144 any
    40 permit tcp any any eq www
    50 permit tcp any any eq 8080
    60 permit tcp any any eq 443
    70 permit tcp any any eq 4343
    80 permit udp any any eq domain
    90 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
    100 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
    110 deny ip any any log

The example above uses the default starting number and interval, however arbitrary values can be provided for both if you'd like a little more room to maneuver between entries:

Router(config)# ip access-list resequence Foo 100 50
Router(config)# do show ip access-lists
Extended IP access list Foo
    100 permit ip host 10.0.23.23 any
    150 permit ip host 10.0.23.76 any
    200 permit ip host 10.0.22.144 any
    250 permit tcp any any eq www
    300 permit tcp any any eq 8080
    350 permit tcp any any eq 443
    400 permit tcp any any eq 4343
    450 permit udp any any eq domain
    500 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
    550 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
    600 deny ip any any log

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Tips and Tricks

Comments


DrScriptt
April 30, 2010 at 4:43 a.m. UTC

Very interesting.

It is important to note that ACL entry numbers are not written to the start-up configuration, so all sequencing information will be lost on reboot:

Am I correct in assuming that a copy running-config startup-config will preserve the modified and / or resequenced ACL across (re)boots?


jvillalon (guest)
April 30, 2010 at 8:09 a.m. UTC

Very interesting.


nmaio (guest)
April 30, 2010 at 11:42 a.m. UTC

Wow, nice tip! That always bothered me.


Pressureman (guest)
April 30, 2010 at 11:43 a.m. UTC

Whilst the exact sequence numbers will not be preserved across reboots, the order of the ACL entries will. After rebooting, the ACL will have sequence numbers starting at 10 and incrementing by 10.


Strebzilla
April 30, 2010 at 1:09 p.m. UTC

Interesting. I've never noticed that the ACLs resequence after a reboot.


hunter_thom
April 30, 2010 at 2:15 p.m. UTC

Nice! I was not aware of a way to resequence the entries.


dantel
April 30, 2010 at 3:10 p.m. UTC

You can really tell who the anal folks are, the ones who notice and care about stuff like this.... me! Not going to make the network work any better but makes me feel better when stuff is organized more logically - I always shake my head when the engineers who manage one of our hosted firewalls never bother to order things nicely.

Thanks for the good tip


Colby
April 30, 2010 at 11:35 p.m. UTC

I always forget this command and Google for it when I need it. Good post.


aengleman
May 1, 2010 at 1:00 a.m. UTC

Great tip!


lcpteck
May 3, 2010 at 2:34 a.m. UTC

Same here, didn't know there was a resequencer! WOOT!


gradgrind
May 3, 2010 at 1:51 p.m. UTC

Excellent. I've actually rebooted routers just to resequence. Good tip!


Andrew (guest)
May 3, 2010 at 6:03 p.m. UTC

Oh man - this is soooooo helpful!!! Many thanks, Stretch


DanC
May 5, 2010 at 9:55 a.m. UTC

Excellent tip! Keep up the good work Stretch :-)


dnewstat
May 5, 2010 at 2:51 p.m. UTC

Nice tip. Thanks! I just used it on some of my routers.


Shoeb (guest)
May 9, 2010 at 8:14 p.m. UTC

Very helpful... here's another blogpost (by Ivan) which is helpful in making ACL's look organized - ACL object groups


raxhe (guest)
May 17, 2010 at 3:01 p.m. UTC

Gr8 !!!! many thnx !!! Keep up the good work !!!


ashish (guest)
October 29, 2010 at 10:55 a.m. UTC

Excellent post.. Stretch!! One slight digressive quess.. If you place an ACL on an interface (say f0)and try a "telnet Blah.. source-interface f0" does the ACL get involved(processed) ?


zbig (guest)
December 21, 2012 at 10:36 p.m. UTC

WoW!I was looking for option to resequence my acl's since the begining of my cisco adventure! Its so flippin' handy! Thanks!


A guest
December 12, 2013 at 6:59 a.m. UTC

Really nice trip..Thanks buddy


Dan (guest)
August 24, 2015 at 3:14 p.m. UTC

Thanks Jeremy, when I Google for a Cisco command option and see PacketLife in the list, you're always my first click!


Sharon (guest)
November 18, 2015 at 5:40 p.m. UTC

Thanks Jeremy

Comments have closed for this article due to its age.