Re: Named ACL entry question

jjvela · ‎02-25-2025

I am using a standard IP named ACL and have a question regarding sequenced entry additions. It seems that when I add a new IP and include the sequence number, then issue sh ip access-lists, it appears in some random location but with the sequence number. Then if I resequence the list, it stays in the same spot but with a new sequence number. Is it possible to specify where in the list it is added?

Flavio Miranda · ‎02-25-2025

@jjvela

You can define the sequence number.

For example

Extended IP access list TEST

50 permit icmp any any

70 permit tcp any any

90 permit udp any any

110 permit esp any any

jjvela · ‎02-25-2025

This is the method I utilize. So lets say the list above is implemented. If I wanted to add another IP, and I issued the command - 120 permit x.x.x.x, it is entered in a seemingly random location. If I issue - sh ip access-lists, it may appear as follows:

Extended IP access list TEST

50 permit icmp any any

70 permit tcp any any

120 permit x.x.x.x

90 permit udp any any

110 permit esp any any

Lets say I want it entered at the end of the list, what command would I issue, or is there no way to specify position?

Flavio Miranda · ‎02-25-2025

It should not be random. If you add the access-list with ID 120, it should come after 110.

Take a look on this doc.

IP Access List Entry Sequence Numbering [Support] - Cisco Systems

jjvela · ‎02-27-2025

That is what I was expecting, but this is not what is happening. Does this indicate an issue with ACL or how the device is processing it? Is there a test I can perform? Really appreciate the help.

Flavio Miranda · ‎02-27-2025

What device is this and which IOS version?

Flavio Miranda · ‎02-27-2025

Security Configuration Guide: Access Control Lists, Cisco IOS XE Gibraltar 16.12.x - IP Named Access Control Lists [Cisco IOS XE 16] - Cisco

You cannot delete an entry from a numbered access list; trying to do so will delete the entire access list. If you need to delete an entry, you need to delete the entire access list and start over.
You can delete an entry from a named access list. Use the no permit or no deny command to delete the appropriate entry.

In another doc

"Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs."

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches) - Configuring IPv4 Access Control Lists [Cisco Catalyst 2960-X Series Switches] - Cisco

jjvela · ‎02-27-2025

I believe in my situation I have a named ACL that uses sequenced entries. Therefore, shouldn't using the "no" command safely remove only that single entry? What effect, if any, would it have on the rest of the list?

Flavio Miranda · ‎02-27-2025

It should not affect the other statements.

jjvela · ‎02-28-2025

This is my understanding and what I have experienced in the past. Right now, though, I have 4 3850's doing this exact thing. I also have several others that are not. My plan is to remove the list from the assigned port, clear the list, add everything back, then re-apply the list to the port. I am assuming this method will cause the least network disruption, if no other issues are present.