Advanced Access-List Editing
Problem
You want to edit an existing ACL directly on the router itself.
Solution
You can insert a single entry into an existing ACL by specifying a sequence number, as follows:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#12 permit tcp any host 172.25.100.100 eq 20
Router2(config-ext-nacl)#end
Router2#
The following commands show how to tell the router to automatically readjust the sequence numbers:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list resequence OREILLY 10 10
Router2(config)#end
Router2#
And you can remove an individual entry from an existing ACL by just using the keyword no and the sequence number of the line you wish to delete:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#no 60
Router2(config-ext-nacl)#end
Router2#
Discussion
Beginning with IOS Version 12.3(2)T, Cisco introduced the ability to edit ACLs using ACL entry sequence numbering. By default, the router will automatically add a sequence number to each ACL entry starting with 10, using increments of 10. The following is the sample ACL. Notice the sequence numbers on the far left of each line:
Router2#show ip access-lists OREILLY
Extended IP access list OREILLY
10 permit tcp any host 172.25.100.100 eq www
20 permit tcp any host 172.25.100.100 eq telnet
30 permit tcp any host 172.25.100.100 eq smtp
40 permit tcp any host 172.25.100.100 eq pop3
50 permit tcp any host 172.25.100.100 eq cmd
60 permit tcp any host 172.25.100.100 eq ftp
70 deny ip any host 172.25.100.100
80 permit ip any any
Router2#
The introduction of sequence numbering means you can now remove, edit, or add ACL entries in any sequence. This is an extremely useful and long overdue feature.
By default, if you don't specify a sequence number, then new ACL entries will be added to the bottom of the ACL, as it always has. However, if you specify a particular sequence number, then you can insert a new ACL entry in any position. In the next example, let's add a new ACL entry and assign it sequence number 12:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#12 permit tcp any host 172.25.100.100 eq 20
Router2(config-ext-nacl)#end
Router2#
Now, let's look at the ACL:
Router2#show ip access-lists OREILLY
Extended IP access list OREILLY
10 permit tcp any host 172.25.100.100 eq www
12 permit tcp any host 172.25.100.100 eq ftp-data
20 permit tcp any host 172.25.100.100 eq telnet
30 permit tcp any host 172.25.100.100 eq smtp
40 permit tcp any host 172.25.100.100 eq pop3
50 permit tcp any host 172.25.100.100 eq cmd
60 permit tcp any host 172.25.100.100 eq ftp
70 deny ip any host 172.25.100.100
80 permit ip any any
Router2#
Notice that our new ACL entry inserted itself into the existing ACL. To accomplish this feat in the past, you would have had to delete the entire ACL, modified the ACL using a remote text editor of some sort, and then added the new ACL back into the router configuration.
The default numbering scheme allows you to add up to nine new ACL entries between existing ACL entries, but what happens if you want to add more? Cisco has added the ability to resequence the ACL numbering scheme, which provides you room to expand. Let's resequence the ACL to start with sequence number 10, the first number of the command, and let's use increments of 10, the second number provided:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list resequence OREILLY 10 10
Router2(config)#end
Router2(config)#
Let's view the ACL again:
Router2#show ip access-lists OREILLY
Extended IP access list OREILLY
10 permit tcp any host 172.25.100.100 eq www
20 permit tcp any host 172.25.100.100 eq ftp-data
30 permit tcp any host 172.25.100.100 eq telnet
40 permit tcp any host 172.25.100.100 eq smtp
50 permit tcp any host 172.25.100.100 eq pop3
60 permit tcp any host 172.25.100.100 eq cmd
70 permit tcp any host 172.25.100.100 eq ftp
80 deny ip any host 172.25.100.100
90 permit ip any any
Router2#
Notice that ACL entry 12 has changed to sequence number 20, and all the other entries after that go up in increments of 10. We note in passing that sequence numbers are not stored in the configuration file, which provides for backward compatibility. It also means that the router assigns default sequence numbers after reboot. The router does ensure that ACLs are stored in the correct order within the configuration file.
To remove a particular ACL entry, use the following command:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list extended OREILLY
Router2(config-ext-nacl)#no 60
Router2(config-ext-nacl)#end
Router2#
Notice that you don't need to specify the entire ACL linejust the sequence number you wish to delete. Now if we view the ACL again, we'll see that ACL entry 60 is gone:
Router2#show ip access-lists OREILLY
Extended IP access list OREILLY
10 permit tcp any host 172.25.100.100 eq www
20 permit tcp any host 172.25.100.100 eq ftp-data
30 permit tcp any host 172.25.100.100 eq telnet
40 permit tcp any host 172.25.100.100 eq smtp
50 permit tcp any host 172.25.100.100 eq pop3
70 permit tcp any host 172.25.100.100 eq ftp
80 deny ip any host 172.25.100.100
90 permit ip any any
Router2#