cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25871
Views
78
Helpful
21
Replies

Access-list wrong order

steuwissen
Beginner
Beginner

Hi all,

I'm trying to edit an access-list, but I experience some problems.

I'm making the following changes:

1. Delete access-list 1

2. Install the commands below

access-list 1 remark == s1
access-list 1 permit ip address 1
access-list 1 remark ==> Network Management <==
access-list 1 remark == s2
access-list 1 permit ip address 2
access-list 1 permit ip address 3
access-list 1 remark == s3
access-list 1 permit ip address 4
access-list 1 remark ==> Scanning Appliances <==
access-list 1 remark == s4
access-list 1 permit ip address 5
access-list 1 permit ip address 6
access-list 1 remark == s5
access-list 1 permit ip address 7
access-list 1 permit ip address 8
access-list 1 permit ip address 9
access-list 1 remark == s6
access-list 1 permit ip address 10
access-list 1 permit ip address 11
access-list 1 permit ip address 12
access-list 1 remark == s7
access-list 1 permit ip address 13
access-list 1 permit ip address 14
access-list 1 permit ip address 15
access-list 1 permit ip address 16
access-list 1 remark == s8
access-list 1 permit ip address 17
access-list 1 permit ip address 18
access-list 1 remark == s9
access-list 1 permit ip address 19
access-list 1 deny any log

3. After issueing show running-config | include access-list 1, I receive this:

access-list 1 remark == s1
access-list 1 permit ip address 1
access-list 1 remark ==> Network Management <==
access-list 1 remark == s2
access-list 1 permit ip address 2
access-list 1 permit ip address 3
access-list 1 remark ==> Scanning Appliances <==
access-list 1 remark == s3
access-list 1 permit ip address 5
access-list 1 remark == s4
access-list 1 permit ip address 4
access-list 1 permit ip address 6
access-list 1 remark == s5
access-list 1 permit ip address 7
access-list 1 permit ip address 8
access-list 1 permit ip address 9
access-list 1 remark == s6
access-list 1 permit ip address 10
access-list 1 permit ip address 11
access-list 1 permit ip address 12
access-list 1 remark == s7
access-list 1 permit ip address 13
access-list 1 permit ip address 14
access-list 1 permit ip address 15
access-list 1 permit ip address 16
access-list 1 remark == s8
access-list 1 permit ip address 17
access-list 1 permit ip address 18
access-list 1 remark == s9
access-list 1 permit ip address 19
access-list 1 deny any log


What is going on here? How can I fix this? I noticed more engineers experience difficulties with these issues.

21 Replies 21

Julio E. Moisa
VIP Mentor VIP Mentor
VIP Mentor

Hi

If you remove a line of a numbered ACL, all the ACL will be removed, in order to avoid it you can use the following sintaxis:

ip access-list standard

*It will be treated as a named ACL without lose its structure (numbered), I mean you will see always the ACL as numbered, it is used to modify an ACL only.

then modify the ACL using sequence number, so you will be able to move up or down, or insert a new line before or after other line, or remove an ACL without affect the entire ACL, example

6 permit host 10.10.10.10   (sequence number 6)

no 6 permit host 10.10.10.10   (removing sequence 6)

Also you can use the following command to verify the current sequence into the ACL:

show access-list 1

Please rate the comment if it is useful or answered the question.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hello Julio,

Thanks for your reply.

I have tried your solution; unfourtunately it does not work completely. I noticed the sequence numbers are there when executing show access-list 1. But the out of order issue is still present when executing the show run command. There are not seq. numbers available for the remarks, could that be a problem?

Hi

Yes, through show run the sequence will not be displayed just using show access-list, I recommend insert sequence between number in multiples, for example insert the new line between 10 and 15 (11,12,13,14) or remove first the line what you want to move and create it again with the sequence, for example:

no 10 permit host 10.1.1.1
4 permit host 10.1.1.1

Please keep me posted. 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Please have a look; after removing the standard access-list 1, I execute these commands:

remark s1
10 permit IP ADDRESS 1
remark s2
remark s3
20 permit IP ADDRESS 2
30 permit IP ADDRESS 3
remark s4
remark s5
40 permit IP ADDRESS 4
50 permit IP ADDRESS 5
remark s6
60 permit IP ADDRESS 6
remark s7
70 permit IP ADDRESS 7
80 permit IP ADDRESS 8
90 permit IP ADDRESS 9
remark s8
110 permit IP ADDRESS 10
120 permit IP ADDRESS 11
remark s9
130 permit IP ADDRESS 12
140 permit IP ADDRESS 13
150 permit IP ADDRESS 14
160 permit IP ADDRESS 15
remark s10
170 permit IP ADDRESS 16
180 permit IP ADDRESS 17
remark s11
190 permit IP ADDRESS 18
200 deny any log

show ip access list 1

10 permit 10.25.5.28
20 permit 10.61.3.10
30 permit 172.16.10.251
40 permit 10.18.240.177
60 permit 10.18.35.96
50 permit 10.18.241.139
70 permit 10.18.240.139
80 permit 172.16.10.200
90 permit 172.16.10.201
100 permit 10.18.240.100 (33 matches)
110 permit 10.18.241.101
120 permit 10.18.241.100
130 permit 10.18.240.101 (142 matches)
140 permit 172.16.10.10
150 permit 172.16.10.11
160 permit 10.18.241.51
170 permit 10.18.240.50
180 permit 10.18.241.50
190 permit 10.18.240.51
200 deny any log

sh run 

same problem as first..

access-list 1 remark == s1
access-list 1 permit ip address 1
access-list 1 remark ==> Network Management <==
access-list 1 remark == s2
access-list 1 permit ip address 2
access-list 1 permit ip address 3
access-list 1 remark ==> Scanning Appliances <==
access-list 1 remark == s3
access-list 1 permit ip address 5
access-list 1 remark == s4
access-list 1 permit ip address 4
access-list 1 permit ip address 6
access-list 1 remark == s5
access-list 1 permit ip address 7
access-list 1 permit ip address 8
access-list 1 permit ip address 9
access-list 1 remark == s6
access-list 1 permit ip address 10
access-list 1 permit ip address 11
access-list 1 permit ip address 12
access-list 1 remark == s7
access-list 1 permit ip address 13
access-list 1 permit ip address 14
access-list 1 permit ip address 15
access-list 1 permit ip address 16
access-list 1 remark == s8
access-list 1 permit ip address 17
access-list 1 permit ip address 18
access-list 1 remark == s9
access-list 1 permit ip address 19
access-list 1 deny any log

Hi

Please check this link:

IP Access List Entry Sequence Numbering

Benefits

The ability to apply sequence numbers to IP access list entries simplifies access list changes. Prior to the IP Access List Entry Sequence Numbering feature, there was no way to specify the position of an entry within an access list. If a user wanted to insert an entry (statement) in the middle of an existing list, all of the entries after the desired position had to be removed, then the new entry was added, and then all the removed entries had to be reentered. This method was cumbersome and error prone.

This feature allows users to add sequence numbers to access list entries and resequence them. When a user adds a new entry, the user chooses the sequence number so that it is in a desired position in the access list. If necessary, entries currently in the access list can be resequenced to create room to insert the new entry.

Sequence Numbering Behavior

For backward compatibility with previous releases, if entries with no sequence numbers are applied, the first entry is assigned a sequence number of 10, and successive entries are incremented by 10. The maximum sequence number is 2147483647. If the generated sequence number exceeds this maximum number, the following message is displayed:

	Exceeded maximum sequence number.

If the user enters an entry without a sequence number, it is assigned a sequence number that is 10 greater than the last sequence number in that access list and is placed at the end of the list.

If the user enters an entry that matches an already existing entry (except for the sequence number), then no changes are made.

If the user enters a sequence number that is already present, the following error message is generated:

	Duplicate sequence number.

If a new access list is entered from global configuration mode, then sequence numbers for that access list are generated automatically.

Distributed support is provided so that the sequence numbers of entries in the Route Processor (RP) and line card (LC) are in synchronization at all times.

Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is reloaded, the configured sequence numbers revert to the default sequence starting number and increment. The function is provided for backward compatibility with software releases that do not support sequence numbering.

This feature works with named standard and extended IP access lists. Because the name of an access list can be designated as a number, numbers are acceptable.