Solved: Using ACL Re-Sequencing cmd in correct manner. before line inserted..

MasoodA · ‎05-04-2023

Greetings,

Trying to add some ACL lines to existing ones. I wonder how to use the

 re sequencing

cmd to prevent any packet losses please. like, before inserting new lines or after new lines inserted to run the

re-sequencing cmd

? please.

Regards,

MA

MHM Cisco World · ‎05-04-2023

since recommend using line 10,20,30 if so later you need to add line there is 9 line free between each ACL line
if you already config then using

ip access-list

? <<- ? will give you some option one of option is line number of ACL

re-sequence

ip access-list resequence <ACL NAME or number> <start sequence number> <the lines you can add between two lines>

other Option which I prefer to no drop any traffic
and new ACL using cisco recommend line number
and only under the interface change the Name of ACL from old to new ONE.

View solution in original post

n370p$GR · ‎05-13-2023

You insert first your ACL lines, then you issue the

re-sequencing

command.

ip access-list standard 9

show access-list 9
ip access-list standard 9   
 10 permit tcp any any eq www
 20 permit tcp any any eq 44315 permit host 10.128.9.10
!
conf t
ip access-list standard 9
15 permit host 10.10.10.10
exit

ip access-list resequence 9 10 10
do sh ip access-list 9

View solution in original post

MHM Cisco World · ‎05-04-2023

since recommend using line 10,20,30 if so later you need to add line there is 9 line free between each ACL line
if you already config then using

ip access-list

? <<- ? will give you some option one of option is line number of ACL

re-sequence

ip access-list resequence <ACL NAME or number> <start sequence number> <the lines you can add between two lines>

other Option which I prefer to no drop any traffic
and new ACL using cisco recommend line number
and only under the interface change the Name of ACL from old to new ONE.

Flavio Miranda · ‎05-04-2023

Hi

what resequency does is clear on this example:

Before:

Router# show ip access-lists
Extended IP access list Foo
    1 permit ip host 10.0.23.23 any
    2 permit ip host 10.0.23.76 any
    4 permit ip host 10.0.22.144 any
    10 permit tcp any any eq www
    15 permit tcp any any eq 8080
    20 permit tcp any any eq 443
    30 permit udp any any eq domain
    40 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
    42 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
    999 deny ip any any log

After:

Router(config)# ip access-list resequence Foo 10 10
Router(config)# do show ip access-lists
Extended IP access list Foo
    10 permit ip host 10.0.23.23 any
    20 permit ip host 10.0.23.76 any
    30 permit ip host 10.0.22.144 any
    40 permit tcp any any eq www
    50 permit tcp any any eq 8080
    60 permit tcp any any eq 443
    70 permit tcp any any eq 4343
    80 permit udp any any eq domain
    90 permit tcp 10.0.8.0 0.0.3.255 any eq smtp
    100 permit tcp 10.0.12.0 0.0.1.255 any eq smtp
    110 deny ip any any log

If keeps the sequencing in value of 10 + 10.( you can use other sequencing also). This improve the readability

MasoodA · ‎05-04-2023

Thank you. yes, I know what

re-sequencing

does but I was not clear at what point we issue the command? before adding new lines or after new lines are added?

basically, process by which we go about inserting new lines between current ACL please?

Best Regards,

MA

n370p$GR · ‎05-13-2023

You insert first your ACL lines, then you issue the

re-sequencing

command.

ip access-list standard 9

show access-list 9
ip access-list standard 9   
 10 permit tcp any any eq www
 20 permit tcp any any eq 44315 permit host 10.128.9.10
!
conf t
ip access-list standard 9
15 permit host 10.10.10.10
exit

ip access-list resequence 9 10 10
do sh ip access-list 9

MasoodA · ‎05-15-2023

thank you.

however, my problem is that I have about 40 routers, all have say ACL 10 standard. I need to insert three new lines but using an automation application (script to push config top all routers). these ACL 10 in each router all don't have similar sequence numbering, some start with 10, 20 , etc some other with 100, 110, etc. and this has made me think!? I don't know how to deal with this unless I approach each router individually. I should have ask the question differently I assume.

Best Regards,

Masood

Joseph W. Doherty · ‎05-15-2023

Re-sequence

before and after you add your lines.

MHM Cisco World · ‎05-04-2023

if you go with option of

re-sequence

then you will get some free line between OLD ACL line, you can then use it to add any AEC.
but again check the ACL after Seq and for backup use option 2 if the ACL is ok then add new ACE to old ACL
if there is issue then use new ACL (complete with additional AEC) under interface

Joseph W. Doherty · ‎05-04-2023

From a packet lost perspective, I highly doubt

resequencing

itself/alone, would have any impact at all.

When to do it would be up to you.

If you desired to add a new line, when there is no "room" to insert, e.g. you have lines 1, 2 and 3, and you want to add a line between 2 and 3, you would need to

re-sequence

to permit the insertion.

If after insertion, you desire "neaten" your numbering, you would do it then, e.g. you start with 10 and 20, you add lines 12 and 14 (giving 10, 12, 14, 20), but you desire it to be 10, 20, 30, 40,

re-sequence

when done.