The premiere source of truth powering network automation. Open and extensible, trusted by thousands.
NetBox is now available as a managed cloud solution! Stop worrying about your tooling and get back to building networks.
Resequencing ACL Entries
By stretch | Friday, April 30, 2010 at 3:59 a.m. UTC
IOS access list entries are numbered sequentially, starting from 10 and in intervals of 10. This is handy for inserting new entries into an existing ACL by specifying a leading number to indicate a new entry's position in the ACL. For example, assume you have the following ACL defined:
Extended IP access list Foo
10 permit tcp any any eq www
20 permit tcp any any eq 443
30 permit udp any any eq domain
40 deny ip any any log
If you wanted to insert a new entry between the first and second line, you can create the entry with a predetermined position. This example uses the number 15, but any number greater than 10 and less than 20 will work.
Router(config)# ip access-list extended Foo Router(config-ext-nacl)# 15 permit tcp any any eq 8080
Now the ACL looks like this:
Router# show ip access-lists
Extended IP access list Foo
10 permit tcp any any eq www
15 permit tcp any any eq 8080
20 permit tcp any any eq 443
30 permit udp any any eq domain
40 deny ip any any log
While certainly handy, ACL numbering can quickly get out of hand if not applied strategically:
Router# show ip access-lists
Extended IP access list Foo
1 permit ip host 10.0.23.23 any
2 permit ip host 10.0.23.76 any
4 permit ip host 10.0.22.144 any
10 permit tcp any any eq www
15 permit tcp any any eq 8080
20 permit tcp any any eq 443
30 permit udp any any eq domain
40 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
42 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
999 deny ip any any log
It is important to note that ACL entry numbers are not written to the start-up configuration, so all sequencing information will be lost on reboot:
ip access-list extended Foo permit ip host 10.0.23.23 any permit ip host 10.0.23.76 any permit ip host 10.0.22.144 any permit tcp any any eq www permit tcp any any eq 8080 permit tcp any any eq 443 permit tcp any any eq 4343 permit udp any any eq domain permit tcp 10.0.8.0 0.0.3.255 any eq smtp permit tcp 10.0.12.0 0.0.1.255 any eq smtp deny ip any any log
However, IOS includes a convenient command to resequence all entries in an ACL without a reboot and without recreating the ACL:
Router(config)# ip access-list resequence Foo ?
<1-2147483647> Starting Sequence Number
Router(config)# ip access-list resequence Foo 10 ?
<1-2147483647> Step to increment the sequence number
Router(config)# ip access-list resequence Foo 10 10
Router(config)# do show ip access-lists
Extended IP access list Foo
10 permit ip host 10.0.23.23 any
20 permit ip host 10.0.23.76 any
30 permit ip host 10.0.22.144 any
40 permit tcp any any eq www
50 permit tcp any any eq 8080
60 permit tcp any any eq 443
70 permit tcp any any eq 4343
80 permit udp any any eq domain
90 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
100 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
110 deny ip any any log
The example above uses the default starting number and interval, however arbitrary values can be provided for both if you'd like a little more room to maneuver between entries:
Router(config)# ip access-list resequence Foo 100 50
Router(config)# do show ip access-lists
Extended IP access list Foo
100 permit ip host 10.0.23.23 any
150 permit ip host 10.0.23.76 any
200 permit ip host 10.0.22.144 any
250 permit tcp any any eq www
300 permit tcp any any eq 8080
350 permit tcp any any eq 443
400 permit tcp any any eq 4343
450 permit udp any any eq domain
500 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
550 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
600 deny ip any any log
Posted in Tips and Tricks
Comments
April 30, 2010 at 4:43 a.m. UTC
Very interesting.
It is important to note that ACL entry numbers are not written to the start-up configuration, so all sequencing information will be lost on reboot:
Am I correct in assuming that a copy running-config startup-config will preserve the modified and / or resequenced ACL across (re)boots?
April 30, 2010 at 8:09 a.m. UTC
Very interesting.
April 30, 2010 at 11:42 a.m. UTC
Wow, nice tip! That always bothered me.
April 30, 2010 at 11:43 a.m. UTC
Whilst the exact sequence numbers will not be preserved across reboots, the order of the ACL entries will. After rebooting, the ACL will have sequence numbers starting at 10 and incrementing by 10.
April 30, 2010 at 1:09 p.m. UTC
Interesting. I've never noticed that the ACLs resequence after a reboot.
April 30, 2010 at 2:15 p.m. UTC
Nice! I was not aware of a way to resequence the entries.
April 30, 2010 at 3:10 p.m. UTC
You can really tell who the anal folks are, the ones who notice and care about stuff like this.... me! Not going to make the network work any better but makes me feel better when stuff is organized more logically - I always shake my head when the engineers who manage one of our hosted firewalls never bother to order things nicely.
Thanks for the good tip
April 30, 2010 at 11:35 p.m. UTC
I always forget this command and Google for it when I need it. Good post.
May 1, 2010 at 1:00 a.m. UTC
Great tip!
May 3, 2010 at 2:34 a.m. UTC
Same here, didn't know there was a resequencer! WOOT!
May 3, 2010 at 1:51 p.m. UTC
Excellent. I've actually rebooted routers just to resequence. Good tip!
May 3, 2010 at 6:03 p.m. UTC
Oh man - this is soooooo helpful!!! Many thanks, Stretch
May 5, 2010 at 9:55 a.m. UTC
Excellent tip! Keep up the good work Stretch :-)
May 5, 2010 at 2:51 p.m. UTC
Nice tip. Thanks! I just used it on some of my routers.
May 9, 2010 at 8:14 p.m. UTC
Very helpful... here's another blogpost (by Ivan) which is helpful in making ACL's look organized - ACL object groups
May 17, 2010 at 3:01 p.m. UTC
Gr8 !!!! many thnx !!! Keep up the good work !!!
October 29, 2010 at 10:55 a.m. UTC
Excellent post.. Stretch!! One slight digressive quess.. If you place an ACL on an interface (say f0)and try a "telnet Blah.. source-interface f0" does the ACL get involved(processed) ?
December 21, 2012 at 10:36 p.m. UTC
WoW!I was looking for option to resequence my acl's since the begining of my cisco adventure! Its so flippin' handy! Thanks!
December 12, 2013 at 6:59 a.m. UTC
Really nice trip..Thanks buddy
August 24, 2015 at 3:14 p.m. UTC
Thanks Jeremy, when I Google for a Cisco command option and see PacketLife in the list, you're always my first click!
November 18, 2015 at 5:40 p.m. UTC
Thanks Jeremy