cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4248
Views
6
Helpful
13
Replies

ACL sequnce number not in order

sj1031
Level 1
Level 1

Hi all

i notice my ACL have sequnce number that is not in order, i thought the sequnce number should automagically goes in order, exmplae 10, 20, 30 ....... etc

 

Switch#sh access-lists

Standard IP access list 99
    30 permit 172.18.1.2 (328056 matches)
    10 permit 172.18.1.3 (417138 matches)
    20 permit 172.18.1.4 (875236 matches)

13 Replies 13

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

That is correct. The ACL sequence number should be in order (10, 20, 30, etc..)

It maybe a bug the IOS you are running.

HTH

Hi

Try to use named ACL instead numbered ACL, for example:

 

ip access-list standard MY-NETWORKS

permit 1.1.1.0 0.0.0.255

permit host 2.2.2.2 

permit 3.3.3.3 0.0.0.0

 

Add a new entry and please verify again.  Also you could try using:

 

ip access-list standard 99

10 permit 1.1.1.0 0.0.0.255

20 permit host 2.2.2.2 

30 permit 3.3.3.3 0.0.0.0

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Brian M
Level 1
Level 1

I have this same problem and I've tested it on two versions; IOS-15.6.2 and XE-16.07.

 

If I enter this:

ip access-list standard TEST

permit 10.128.2.94

permit 10.190.9.100

permit 10.216.190.46

 

I end up with this

Standard IP access list TEST
30 permit 10.216.190.46
10 permit 10.128.2.94
20 permit 10.190.9.100

 

A little more detail:

  • Its always out of order in the same way on the different devices.
  • Extended ACLs don't seem to have this issue.
  • It only does this when I enter a host address (as opposed to subnet/wildcard).
  • If enter a subnet & wildcard it's always in the correct order (the order I added it).
  • Even if I enter it as permit host x.x.x.x , it'll still go out-of-order.

Estimated,

 

 

Please read the last reply from this post https://supportforums.cisco.com/t5/lan-switching-and-routing/access-list-wrong-order/td-p/3070419

Do not forget to rate useful answers.

 

Best Regards,


@Diana Karolina Rojas wrote:

Estimated,

 

 

Please read the last reply from this post https://supportforums.cisco.com/t5/lan-switching-and-routing/access-list-wrong-order/td-p/3070419

Do not forget to rate useful answers.

 

Best Regards,


That definitely answer is, Thank you!!

 

Hi Brian, did you solve this one?

post this in separate post. 

Then sequence-numbers are only visible in a "show access-list" and not in a show run. If you want to add a line at a specific position, just take an unused sequence-number and add the new line. It will be added at the right place:

c1841#sh access-lists  

Extended IP access list TEST

    10 permit icmp any any (5 matches)

    20 permit udp any any

    30 permit esp any any


c1841(config)#ip access-list ext TEST

c1841(config-ext-nacl)#15 permit tcp any any

c1841(config-ext-nacl)#

c1841(config-ext-nacl)#do sh ip access-list TEST

Extended IP access list TEST

    10 permit icmp any any (5 matches)

    15 permit tcp any any

    20 permit udp any any

    30 permit esp any any

c1841(config-ext-nacl)#

You can also renumber your ACLs if you want to.

c1841(config)#ip access-list resequence TEST 50 20

c1841(config)#

c1841(config)#do sh ip access-list TEST         

Extended IP access list TEST

    50 permit icmp any any

    70 permit tcp any any

    90 permit udp any any

    110 permit esp any any

c1841(config)#

Hello

ip access-list resequence 99 10 10
That should put them in order starting with the first ace statement starting at 10 and incrementing by 10

res

Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

@paul driver Thank you! That works!

This should be marked as an accepted solution!

steliosandreou
Level 1
Level 1

Any solution to this?

 

If you read this discussion there is a very excellent explanation of this behavior by Peter Paluch.

https://supportforums.cisco.com/t5/lan-switching-and-routing/access-list-wrong-order/td-p/3070419

His point is that this is an intended behavior, it is not a bug/defect and it does not need to be fixed.

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: