Advanced Access-List Editing
Problem
You want to edit an existing ACL directly on the router itself.
Solution
You can insert a single entry into an existing ACL by specifying a sequence number, as follows:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip access-list extended OREILLY Router2(config-ext-nacl)#12 permit tcp any host 172.25.100.100 eq 20 Router2(config-ext-nacl)#end Router2#
The following commands show how to tell the router to automatically readjust the sequence numbers:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip access-list resequence OREILLY 10 10 Router2(config)#end Router2#
And you can remove an individual entry from an existing ACL by just using the keyword no and the sequence number of the line you wish to delete:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip access-list extended OREILLY Router2(config-ext-nacl)#no 60 Router2(config-ext-nacl)#end Router2#
Discussion
Beginning with IOS Version 12.3(2)T, Cisco introduced the ability to edit ACLs using ACL entry sequence numbering. By default, the router will automatically add a sequence number to each ACL entry starting with 10, using increments of 10. The following is the sample ACL. Notice the sequence numbers on the far left of each line:
Router2#show ip access-lists OREILLY Extended IP access list OREILLY 10 permit tcp any host 172.25.100.100 eq www 20 permit tcp any host 172.25.100.100 eq telnet 30 permit tcp any host 172.25.100.100 eq smtp 40 permit tcp any host 172.25.100.100 eq pop3 50 permit tcp any host 172.25.100.100 eq cmd 60 permit tcp any host 172.25.100.100 eq ftp 70 deny ip any host 172.25.100.100 80 permit ip any any Router2#
The introduction of sequence numbering means you can now remove, edit, or add ACL entries in any sequence. This is an extremely useful and long overdue feature.
By default, if you don't specify a sequence number, then new ACL entries will be added to the bottom of the ACL, as it always has. However, if you specify a particular sequence number, then you can insert a new ACL entry in any position. In the next example, let's add a new ACL entry and assign it sequence number 12:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip access-list extended OREILLY Router2(config-ext-nacl)#12 permit tcp any host 172.25.100.100 eq 20 Router2(config-ext-nacl)#end Router2#
Now, let's look at the ACL:
Router2#show ip access-lists OREILLY Extended IP access list OREILLY 10 permit tcp any host 172.25.100.100 eq www 12 permit tcp any host 172.25.100.100 eq ftp-data 20 permit tcp any host 172.25.100.100 eq telnet 30 permit tcp any host 172.25.100.100 eq smtp 40 permit tcp any host 172.25.100.100 eq pop3 50 permit tcp any host 172.25.100.100 eq cmd 60 permit tcp any host 172.25.100.100 eq ftp 70 deny ip any host 172.25.100.100 80 permit ip any any Router2#
Notice that our new ACL entry inserted itself into the existing ACL. To accomplish this feat in the past, you would have had to delete the entire ACL, modified the ACL using a remote text editor of some sort, and then added the new ACL back into the router configuration.
The default numbering scheme allows you to add up to nine new ACL entries between existing ACL entries, but what happens if you want to add more? Cisco has added the ability to resequence the ACL numbering scheme, which provides you room to expand. Let's resequence the ACL to start with sequence number 10, the first number of the command, and let's use increments of 10, the second number provided:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip access-list resequence OREILLY 10 10 Router2(config)#end Router2(config)#
Let's view the ACL again:
Router2#show ip access-lists OREILLY Extended IP access list OREILLY 10 permit tcp any host 172.25.100.100 eq www 20 permit tcp any host 172.25.100.100 eq ftp-data 30 permit tcp any host 172.25.100.100 eq telnet 40 permit tcp any host 172.25.100.100 eq smtp 50 permit tcp any host 172.25.100.100 eq pop3 60 permit tcp any host 172.25.100.100 eq cmd 70 permit tcp any host 172.25.100.100 eq ftp 80 deny ip any host 172.25.100.100 90 permit ip any any Router2#
Notice that ACL entry 12 has changed to sequence number 20, and all the other entries after that go up in increments of 10. We note in passing that sequence numbers are not stored in the configuration file, which provides for backward compatibility. It also means that the router assigns default sequence numbers after reboot. The router does ensure that ACLs are stored in the correct order within the configuration file.
To remove a particular ACL entry, use the following command:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip access-list extended OREILLY Router2(config-ext-nacl)#no 60 Router2(config-ext-nacl)#end Router2#
Notice that you don't need to specify the entire ACL linejust the sequence number you wish to delete. Now if we view the ACL again, we'll see that ACL entry 60 is gone:
Router2#show ip access-lists OREILLY Extended IP access list OREILLY 10 permit tcp any host 172.25.100.100 eq www 20 permit tcp any host 172.25.100.100 eq ftp-data 30 permit tcp any host 172.25.100.100 eq telnet 40 permit tcp any host 172.25.100.100 eq smtp 50 permit tcp any host 172.25.100.100 eq pop3 70 permit tcp any host 172.25.100.100 eq ftp 80 deny ip any host 172.25.100.100 90 permit ip any any Router2#
See Also
Recipe 19.1