{"id":872,"date":"2014-01-24T14:38:13","date_gmt":"2014-01-24T13:38:13","guid":{"rendered":"http:\/\/blog.robinward.com\/?p=872"},"modified":"2014-01-24T14:40:28","modified_gmt":"2014-01-24T13:40:28","slug":"cisco-acl-resequencing","status":"publish","type":"post","link":"https:\/\/robinward.com\/?p=872","title":{"rendered":"Cisco ACL resequencing"},"content":{"rendered":"<p>Managing Access Lists on Cisco IOS devices can be a real headache. Copying ACLs and Editing them in a Text Editor was a widely spread method until extended ACLs implemented Named Access Lists (nacls) with featured sequence numbers.<\/p>\n<blockquote>\n<pre>Extended IP access list my_acl_in\r\n2 permit icmp ..... (1234 matches)\r\n3 permit ip any host x.x.x.x\r\n10 permit ip ....\r\n11 permit ip ....\r\n12 permit ip ....\r\n13 permit ip ....\r\n14 permit tcp any host ...... eq 443\r\n15 permit tcp any host ...... eq www<\/pre>\n<\/blockquote>\n<p><span style=\"color: #0000ff;\">Btw. the IPv6 Access list sequence numbers are placed at the end<\/span><\/p>\n<blockquote>\n<pre>permit tcp host 2001:DB8:1::32 host 2001:DB8:2::32 eq ssh <strong>sequence 1<\/strong><\/pre>\n<\/blockquote>\n<p>Sequence Numbers allow for quick changes to an ACL without the copy&amp;paste foo. A growing and ever changing ACL however can post a challange to your sequencing once the gaps are filled. In order to realign your Access Control Entries you can use the resequence command to put your ACEs in order again.<\/p>\n<blockquote>\n<pre>r1(config)#ip access-list resequence ?\r\n&lt;1-99&gt; Standard IP access-list number\r\n&lt;100-199&gt; Extended IP access-list number\r\n&lt;1300-1999&gt; Standard IP access-list number (expanded range)\r\n&lt;2000-2699&gt; Extended IP access list number (expanded range)\r\nWORD Access-list name\r\n\r\nr1(config)#ip access-list resequence my_acl_in ?\r\n&lt;1-2147483647&gt; Starting Sequence Number\r\n\r\nr1(config)#ip access-list resequence my_acl_in\u00a05 ?\r\n&lt;1-2147483647&gt; Step to increment the sequence number\r\n\r\nr1(config)#ip access-list resequence\u00a0my_acl_in 5 5<\/pre>\n<\/blockquote>\n<p>will resequence your ACEs to look something like this:<\/p>\n<blockquote>\n<pre>Extended IP access list my_acl_in\r\n5 permit icmp ..... (1234 matches)\r\n10 permit ip any host x.x.x.x\r\n15 permit ip ....\r\n20 permit ip ....\r\n25 permit ip ....\r\n30 permit ip ....\r\n35 permit tcp any host ...... eq 443\r\n40 permit tcp any host ...... eq www<\/pre>\n<\/blockquote>\n<p>This feature will definitely help to keep your sanity.<\/p>\n<p>I find it quite a bit strange that this fuction is not mentioned on neither the\u00a0640-802 CCNA nor the 640-554 CCNA Security Cert Guides.<\/p>\n<p>For more infos, check out the <a href=\"http:\/\/www.cisco.com\/en\/US\/docs\/ios\/12_2s\/feature\/guide\/fsaclseq.html\" target=\"_blank\">Cisco ACL sequence numbering guide<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Managing Access Lists on Cisco IOS devices can be a real headache. Copying ACLs and Editing them in a Text Editor was a widely spread method until extended ACLs implemented Named Access Lists (nacls) with featured sequence numbers. Extended IP access list my_acl_in 2 permit icmp &#8230;.. (1234 matches) 3 permit ip any host x.x.x.x &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/robinward.com\/?p=872\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Cisco ACL resequencing&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,3,14],"tags":[],"class_list":["post-872","post","type-post","status-publish","format-standard","hentry","category-cisco","category-net","category-security"],"_links":{"self":[{"href":"https:\/\/robinward.com\/index.php?rest_route=\/wp\/v2\/posts\/872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/robinward.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/robinward.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/robinward.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/robinward.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=872"}],"version-history":[{"count":6,"href":"https:\/\/robinward.com\/index.php?rest_route=\/wp\/v2\/posts\/872\/revisions"}],"predecessor-version":[{"id":878,"href":"https:\/\/robinward.com\/index.php?rest_route=\/wp\/v2\/posts\/872\/revisions\/878"}],"wp:attachment":[{"href":"https:\/\/robinward.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/robinward.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/robinward.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}