Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
35523
Views
27
Helpful
16
Replies

ACL and sequence numbers

tolinrome tolinrome
Level 1
Level 1

‎01-01-2014 01:13 PM - edited ‎03-10-2019 12:25 PM

I had the first two lines in the access list and all was well, I then added the 3rd. From what I need to put the 3rd entry (deny host 10.1.30.51) after the second entry and before the permit any. Even though I created sequence numbers in order of the 3 entries (10,20,30) the sequence numbers didnt put them in order and they dont even show up in the show run. What went wrong? How is it possible to edit an acl without sequence numbers also?

Cause if I had:

10 deny x.x.x.x

20 deny x.x.x.x

30 permit any

Then I could add say 15 deny x.x.x.x, but now I cant and I dont even know what happened to the sequence numbers when I created them.

Thanks.

Standard IP access list 1

    deny host 10.1.30.50 (4 match(es))

    permit any (8 match(es))

    deny host 10.1.30.51

Router#

Labels:
0 Helpful
16 Replies 16

osvaldo27
Level 1
Level 1
In response to Joseph W. Doherty

‎04-17-2019 06:02 PM

Hello, 

 

It's simple to do it, but before edit with the sequence number you want, you must first deny the current number which has the line you want to edit. I'm gonna give an example to simplify. 

 

In this example below I was blocking SSH on a class C network, and then I edited to block a class B network. (Ignore the IP when I talk about classes, I'm talking about mask).

 

 

 

ROUTER2#sh ip access-lists
Extended IP access list NO_SSH
10 deny tcp any 172.17.20.0 0.0.0.255 eq 22
20 permit ip any any (7653 match(es))

ROUTER2# conf t
Enter configuration commands, one per line. End with CNTL/Z.

ROUTER2(config)#ip access-list extended NO_SSH
ROUTER2(config-ext-nacl)#no 10 Here I denied the previous line which has the class C network mask
ROUTER2(config-ext-nacl)#10 deny tcp 172.17.0.0 0.0.255.255 any eq 22
ROUTER2(config-ext-nacl)#exit
ROUTER2(config)#exit
ROUTER2#
%SYS-5-CONFIG_I: Configured from console by console

ROUTER2#
ROUTER2#sh ip ac
ROUTER2#sh ip access-lists
Extended IP access list NO_SSH
10 deny tcp 172.17.0.0 0.0.255.255 any eq 22
20 permit ip any any (7779 match(es))

ROUTER2#cop
ROUTER2#copy r st
Destination filename [startup-config]?
Building configuration...
[OK]

0 Helpful

mcgavel9000
Level 1
Level 1
In response to Collin Clark

‎03-16-2014 12:27 AM

Sequence numbers are used by every type of ACL to edit the ACEs, including standard numbered and named ACLs. The only other way to edit an existing ACL is to copy it from the running-config, edit with a text editor, delete the old ACL from the device, then paste the new ACL into the device.

Packet Tracer shows sequence numbers for all types of named ACLs only. However, a standard numbered ACL can still be edited by sequence number in Packet Tracer...You just have to realize that the first sequence number (even though it's not shown in PT) is 10 and the increment is 10.

Have a great day! I love Cisco!!! :)

Preview file
85 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card