cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
448
Views
0
Helpful
9
Replies

Named ACL entry question

jjvela
Level 1
Level 1

I am using a standard IP named ACL and have a question regarding sequenced entry additions. It seems that when I add a new IP and include the sequence number, then issue sh ip access-lists, it appears in some random location but with the sequence number. Then if I resequence the list, it stays in the same spot but with a new sequence number. Is it possible to specify where in the list it is added? 

9 Replies 9

@jjvela 

 You can define the sequence number. 

For example

Extended IP access list TEST

    50 permit icmp any any

    70 permit tcp any any

    90 permit udp any any

    110 permit esp any any

This is the method I utilize. So lets say the list above is implemented. If I wanted to add another IP, and I issued the command - 120 permit x.x.x.x, it is entered in a seemingly random location. If I issue - sh ip access-lists, it may appear as follows:

Extended IP access list TEST

    50 permit icmp any any

    70 permit tcp any any

    120 permit x.x.x.x

    90 permit udp any any

    110 permit esp any any

Lets say I want it entered at the end of the list, what command would I issue, or is there no way to specify position? 

It should not be random. If you add  the access-list with ID 120, it should come after 110. 

Take a look on this doc. 

IP Access List Entry Sequence Numbering  [Support] - Cisco Systems

 

That is what I was expecting, but this is not what is happening. Does this indicate an issue with ACL or how the device is processing it? Is there a test I can perform? Really appreciate the help. 

What device is this and which IOS version? 

 

Security Configuration Guide: Access Control Lists, Cisco IOS XE Gibraltar 16.12.x - IP Named Access Control Lists [Cisco IOS XE 16] - Cisco

  • You cannot delete an entry from a numbered access list; trying to do so will delete the entire access list. If you need to delete an entry, you need to delete the entire access list and start over.
  • You can delete an entry from a named access list. Use the no permit or no deny command to delete the appropriate entry.

In another doc

"Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs."

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches) - Configuring IPv4 Access Control Lists [Cisco Catalyst 2960-X Series Switches] - Cisco

I believe in my situation I have a named ACL that uses sequenced entries. Therefore, shouldn't using the "no" command safely remove only that single entry? What effect, if any, would it have on the rest of the list?

It should not affect the other statements. 

This is my understanding and what I have experienced in the past. Right now, though, I have 4 3850's doing this exact thing. I also have several others that are not. My plan is to remove the list from the assigned port, clear the list, add everything back, then re-apply the list to the port. I am assuming this method will cause the least network disruption, if no other issues are present.