jump to navigation

Access-List Resequence April 27, 2009

Posted by ZoeL in CCIE LAB, Cisco.
Tags:
trackback

Inspired by some of my colleagues, they inform me one of unique and (according to them) not-so-oftenly-used cisco feature.

access-list resequence

… Users can apply sequence numbers to permit or deny statements and also reorder, add, or remove such statements from a named IP access list. This feature makes revising IP access lists much easier. Prior to this feature, users could add access list entries to the end of an access list only; therefore needing to add statements anywhere except the end required reconfiguring the access list entirely…

On Cisco IOS, extended access-list’s sequence numbers usually provided automatically.

Example :
If you have these lines on access-list part on your running config

!
access-list 110 deny   icmp any host 31.31.31.31 echo
access-list 110 deny   ip any host 31.31.31.31
access-list 110 permit icmp any any echo
access-list 110 permit ip any any
access-list 120 permit icmp any host 31.31.31.31 echo
access-list 120 permit ip any host 31.31.31.31
!

do show access-list and you will get sequence number from 10 to 40 (extended access-list 110) with incrementally by 10.

R3#sh access-l
Extended IP access list 110
10 deny icmp any host 31.31.31.31 echo
20 deny ip any host 31.31.31.31 (6 matches)
30 permit icmp any any echo
40 permit ip any any (30 matches)
Extended IP access list 120
10 permit icmp any host 31.31.31.31 echo
20 permit ip any host 31.31.31.31 (6 matches)
R3#

What if, u want to insert 10 new lines of  access-list between 20 and 30?
unfortunately you only have 9 lines available between 20 and 30.

That’s why we need to re-sequence the access-list numbers.

example : set access-list number start from 50 and incremently by 20.

R3#
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#ip access-list resequence ?
<1-99>       Standard IP access-list number
<100-199>    Extended IP access-list number
<1300-1999>  Standard IP access-list number (expanded range)
<2000-2699>  Extended IP access list number (expanded range)

WORD         Access-list name

R3(config)#ip access-list resequence 110 ?
<1-2147483647>  Starting Sequence Number

R3(config)#ip access-list resequence 110 50 ?
<1-2147483647>  Step to increment the sequence number

R3(config)#ip access-list resequence 110 50 20
R3(config)#do sh access-l
Extended IP access list 110

50 deny icmp any host 31.31.31.31 echo
70 deny ip any host 31.31.31.31 (6 matches)
90 permit icmp any any echo
110 permit ip any any (30 matches)

Extended IP access list 120
10 permit icmp any host 31.31.31.31 echo
20 permit ip any host 31.31.31.31 (6 matches)
R3(config)#

Now, we can insert not only 10, but 19 new access-list command between line 70 and 90.

.end.

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: