Resequencing ACL Entries
By stretch | Friday, April 30, 2010 at 3:59 a.m. UTC
IOS access list entries are numbered sequentially, starting from 10 and in intervals of 10. This is handy for inserting new entries into an existing ACL by specifying a leading number to indicate a new entry's position in the ACL. For example, assume you have the following ACL defined:
Extended IP access list Foo 10 permit tcp any any eq www 20 permit tcp any any eq 443 30 permit udp any any eq domain 40 deny ip any any log
If you wanted to insert a new entry between the first and second line, you can create the entry with a predetermined position. This example uses the number 15, but any number greater than 10 and less than 20 will work.
Router(config)# ip access-list extended Foo Router(config-ext-nacl)# 15 permit tcp any any eq 8080
Now the ACL looks like this:
Router# show ip access-lists Extended IP access list Foo 10 permit tcp any any eq www 15 permit tcp any any eq 8080 20 permit tcp any any eq 443 30 permit udp any any eq domain 40 deny ip any any log
While certainly handy, ACL numbering can quickly get out of hand if not applied strategically:
Router# show ip access-lists Extended IP access list Foo 1 permit ip host 10.0.23.23 any 2 permit ip host 10.0.23.76 any 4 permit ip host 10.0.22.144 any 10 permit tcp any any eq www 15 permit tcp any any eq 8080 20 permit tcp any any eq 443 30 permit udp any any eq domain 40 permit tcp 10.0.8.0 0.0.3.255 any eq smtp 42 permit tcp 10.0.12.0 0.0.1.255 any eq smtp 999 deny ip any any log
It is important to note that ACL entry numbers are not written to the start-up configuration, so all sequencing information will be lost on reboot:
ip access-list extended Foo permit ip host 10.0.23.23 any permit ip host 10.0.23.76 any permit ip host 10.0.22.144 any permit tcp any any eq www permit tcp any any eq 8080 permit tcp any any eq 443 permit tcp any any eq 4343 permit udp any any eq domain permit tcp 10.0.8.0 0.0.3.255 any eq smtp permit tcp 10.0.12.0 0.0.1.255 any eq smtp deny ip any any log
However, IOS includes a convenient command to resequence all entries in an ACL without a reboot and without recreating the ACL:
Router(config)# ip access-list resequence Foo ? <1-2147483647> Starting Sequence Number Router(config)# ip access-list resequence Foo 10 ? <1-2147483647> Step to increment the sequence number Router(config)# ip access-list resequence Foo 10 10 Router(config)# do show ip access-lists Extended IP access list Foo 10 permit ip host 10.0.23.23 any 20 permit ip host 10.0.23.76 any 30 permit ip host 10.0.22.144 any 40 permit tcp any any eq www 50 permit tcp any any eq 8080 60 permit tcp any any eq 443 70 permit tcp any any eq 4343 80 permit udp any any eq domain 90 permit tcp 10.0.8.0 0.0.3.255 any eq smtp 100 permit tcp 10.0.12.0 0.0.1.255 any eq smtp 110 deny ip any any log
The example above uses the default starting number and interval, however arbitrary values can be provided for both if you'd like a little more room to maneuver between entries:
Router(config)# ip access-list resequence Foo 100 50 Router(config)# do show ip access-lists Extended IP access list Foo 100 permit ip host 10.0.23.23 any 150 permit ip host 10.0.23.76 any 200 permit ip host 10.0.22.144 any 250 permit tcp any any eq www 300 permit tcp any any eq 8080 350 permit tcp any any eq 443 400 permit tcp any any eq 4343 450 permit udp any any eq domain 500 permit tcp 10.0.8.0 0.0.3.255 any eq smtp 550 permit tcp 10.0.12.0 0.0.1.255 any eq smtp 600 deny ip any any log
Posted in Tips and Tricks
Comments
April 30, 2010 at 4:43 a.m. UTC
Very interesting.
It is important to note that ACL entry numbers are not written to the start-up configuration, so all sequencing information will be lost on reboot:
Am I correct in assuming that a copy running-config startup-config
will preserve the modified and / or resequenced ACL across (re)boots?
April 30, 2010 at 8:09 a.m. UTC
Very interesting.
April 30, 2010 at 11:42 a.m. UTC
Wow, nice tip! That always bothered me.
April 30, 2010 at 11:43 a.m. UTC
Whilst the exact sequence numbers will not be preserved across reboots, the order of the ACL entries will. After rebooting, the ACL will have sequence numbers starting at 10 and incrementing by 10.
April 30, 2010 at 1:09 p.m. UTC
Interesting. I've never noticed that the ACLs resequence after a reboot.
April 30, 2010 at 2:15 p.m. UTC
Nice! I was not aware of a way to resequence the entries.
April 30, 2010 at 3:10 p.m. UTC
You can really tell who the anal folks are, the ones who notice and care about stuff like this.... me! Not going to make the network work any better but makes me feel better when stuff is organized more logically - I always shake my head when the engineers who manage one of our hosted firewalls never bother to order things nicely.
Thanks for the good tip
April 30, 2010 at 11:35 p.m. UTC
I always forget this command and Google for it when I need it. Good post.
May 1, 2010 at 1:00 a.m. UTC
Great tip!
May 3, 2010 at 2:34 a.m. UTC
Same here, didn't know there was a resequencer! WOOT!
May 3, 2010 at 1:51 p.m. UTC
Excellent. I've actually rebooted routers just to resequence. Good tip!
May 3, 2010 at 6:03 p.m. UTC
Oh man - this is soooooo helpful!!! Many thanks, Stretch
May 5, 2010 at 9:55 a.m. UTC
Excellent tip! Keep up the good work Stretch :-)
May 5, 2010 at 2:51 p.m. UTC
Nice tip. Thanks! I just used it on some of my routers.
May 9, 2010 at 8:14 p.m. UTC
Very helpful... here's another blogpost (by Ivan) which is helpful in making ACL's look organized - ACL object groups
May 17, 2010 at 3:01 p.m. UTC
Gr8 !!!! many thnx !!! Keep up the good work !!!
October 29, 2010 at 10:55 a.m. UTC
Excellent post.. Stretch!! One slight digressive quess.. If you place an ACL on an interface (say f0)and try a "telnet Blah.. source-interface f0" does the ACL get involved(processed) ?
December 21, 2012 at 10:36 p.m. UTC
WoW!I was looking for option to resequence my acl's since the begining of my cisco adventure! Its so flippin' handy! Thanks!
December 12, 2013 at 6:59 a.m. UTC
Really nice trip..Thanks buddy
August 24, 2015 at 3:14 p.m. UTC
Thanks Jeremy, when I Google for a Cisco command option and see PacketLife in the list, you're always my first click!
November 18, 2015 at 5:40 p.m. UTC
Thanks Jeremy