09-13-2017 06:34 PM - edited 03-08-2019 12:01 PM
Hi all
i notice my ACL have sequnce number that is not in order, i thought the sequnce number should automagically goes in order, exmplae 10, 20, 30 ....... etc
Switch#sh access-lists
Standard IP access list 99
30 permit 172.18.1.2 (328056 matches)
10 permit 172.18.1.3 (417138 matches)
20 permit 172.18.1.4 (875236 matches)
09-13-2017 07:50 PM
Hi,
That is correct. The ACL sequence number should be in order (10, 20, 30, etc..)
It maybe a bug the IOS you are running.
HTH
09-13-2017 08:32 PM - edited 09-13-2017 08:46 PM
Hi
Try to use named ACL instead numbered ACL, for example:
ip access-list standard MY-NETWORKS
permit 1.1.1.0 0.0.0.255
permit host 2.2.2.2
permit 3.3.3.3 0.0.0.0
Add a new entry and please verify again. Also you could try using:
ip access-list standard 99
10 permit 1.1.1.0 0.0.0.255
20 permit host 2.2.2.2
30 permit 3.3.3.3 0.0.0.0
:-)
05-17-2018 10:41 AM
I have this same problem and I've tested it on two versions; IOS-15.6.2 and XE-16.07.
If I enter this:
ip access-list standard TEST
permit 10.128.2.94
permit 10.190.9.100
permit 10.216.190.46
I end up with this
Standard IP access list TEST
30 permit 10.216.190.46
10 permit 10.128.2.94
20 permit 10.190.9.100
A little more detail:
05-17-2018 12:47 PM
Estimated,
Please read the last reply from this post https://supportforums.cisco.com/t5/lan-switching-and-routing/access-list-wrong-order/td-p/3070419
Do not forget to rate useful answers.
Best Regards,
05-17-2018 02:11 PM
@Diana Karolina Rojas wrote:
Estimated,
Please read the last reply from this post https://supportforums.cisco.com/t5/lan-switching-and-routing/access-list-wrong-order/td-p/3070419
Do not forget to rate useful answers.
Best Regards,
That definitely answer is, Thank you!!
10-07-2022 06:34 AM
Hi Brian, did you solve this one?
10-07-2022 06:46 AM
post this in separate post.
06-14-2018 01:06 AM
Then sequence-numbers are only visible in a "show access-list" and not in a show run. If you want to add a line at a specific position, just take an unused sequence-number and add the new line. It will be added at the right place:
c1841#sh access-lists
Extended IP access list TEST
10 permit icmp any any (5 matches)
20 permit udp any any
30 permit esp any any
c1841(config)#ip access-list ext TEST
c1841(config-ext-nacl)#15 permit tcp any any
c1841(config-ext-nacl)#
c1841(config-ext-nacl)#do sh ip access-list TEST
Extended IP access list TEST
10 permit icmp any any (5 matches)
15 permit tcp any any
20 permit udp any any
30 permit esp any any
c1841(config-ext-nacl)#
You can also renumber your ACLs if you want to.
c1841(config)#ip access-list resequence TEST 50 20
c1841(config)#
c1841(config)#do sh ip access-list TEST
Extended IP access list TEST
50 permit icmp any any
70 permit tcp any any
90 permit udp any any
110 permit esp any any
c1841(config)#
06-14-2018 01:30 AM - edited 06-14-2018 01:34 AM
Hello
ip access-list resequence 99 10 10
That should put them in order starting with the first ace statement starting at 10 and incrementing by 10
res
Paul
02-16-2024 12:14 PM
@paul driver Thank you! That works!
This should be marked as an accepted solution!
10-07-2022 06:39 AM
Any solution to this?
10-07-2022 08:24 AM
If you read this discussion there is a very excellent explanation of this behavior by Peter Paluch.
https://supportforums.cisco.com/t5/lan-switching-and-routing/access-list-wrong-order/td-p/3070419
His point is that this is an intended behavior, it is not a bug/defect and it does not need to be fixed.
02-16-2024 12:14 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide