Resequence Access Lists on Cisco Routers (IOS, IOS-XE, IOS-XR, Nexus-OS)

Here are sample configuration on resequencing access lists in Cisco Routers for IOS, IOS-XE, IOS-XR and Nexus OS

Cisco IOS/IOS-XE

a. Show the existing access-list

IOS#show access-lists acl_123
Extended IP access list acl_123
10 permit tcp 192.168.10.8 255.255.255.255 192.168.20.5 255.255.255.255 eq 22
20 permit tcp 172.16.0.10.8 255.255.255.255 192.168.20.5 255.255.255.255 eq 22
30 deny ip any any

b. Add the new access list before the last deny rule
IOS(config)#ip access-list extended acl_123
IOS(config-ext-nacl)#21 permit tcp host 192.168.11.8 host 192.168.20.5 eq 22
IOS(config-ext-nacl)#22 permit tcp host 172.16.1.10.8 host 192.168.20.5 eq 22

c. Commit configuration (Not applicable for IOS & IOS-XE, it will take effect right away once config. You can do “copy run start” to save configuration)

d. Show the new access-list

IOS#show access-lists acl_123
Extended IP access list acl_123
10 permit tcp 192.168.10.8 255.255.255.255 192.168.20.5 255.255.255.255 eq 22
20 permit tcp 172.16.0.10.8 255.255.255.255 192.168.20.5 255.255.255.255 eq 22
21 permit tcp host 192.168.11.8 host 192.168.20.5 eq 22
22 permit tcp host 172.16.1.10.8 host 192.168.20.5 eq 22
30 deny ip any any

e. Resequence (under the global configuration mode)

ip access-list resequence <ACL NAME> <START NUMBER> <INCREMENT>

<1-2147483647> Starting Sequence Number
<1-2147483647> Step to increment the sequence number

Sample config:
IOS(config)#ip access-list resequence acl_123 10 10

f. Show the new access-list

IOS#show access-lists acl_123
Extended IP access list acl_123
10 permit tcp 192.168.10.8 255.255.255.255 192.168.20.5 255.255.255.255 eq 22
20 permit tcp 172.16.0.10.8 255.255.255.255 192.168.20.5 255.255.255.255 eq 22
30 permit tcp host 192.168.11.8 host 192.168.20.5 eq 22
40 permit tcp host 172.16.1.10.8 host 192.168.20.5 eq 22
50 deny ip any any

Cisco IOS-XR

a. Show the existing access-list

RP/0/RSP0/CPU0:IOS-XR#show access-lists acl_123

ipv4 access-list acl_123
10 permit tcp 192.168.10.8/32 192.168.20.5/32 eq 22
20 permit tcp 172.16.0.10.8/32 192.168.20.5/32 eq 22
30 deny ipv4 any any

b. Add the new access list before the last deny rule

RP/0/RSP0/CPU0:IOS-XR(config)#ipv4 access-list acl_123
RP/0/RSP0/CPU0:IOS-XR(config-ipv4-acl)21 permit tcp 192.168.11.8/32 192.168.20.5/32 eq 22
RP/0/RSP0/CPU0:IOS-XR(config-ipv4-acl)22 permit tcp 172.16.1.10.8/32 192.168.20.5/32 eq 22

c. Commit configuration

RP/0/RSP0/CPU0:IOS-XR(config-ipv4-acl) commit

d. Show the new access-list

RP/0/RSP0/CPU0:IOS-XR#show access-lists acl_123

ipv4 access-list acl_123
10 permit tcp 192.168.10.8/32 192.168.20.5/32 eq 22
20 permit tcp 172.16.0.10.8/32 192.168.20.5/32 eq 22
21 permit tcp 192.168.11.8/32 192.168.20.5/32 eq 22
22 permit tcp 172.16.1.10.8/32 192.168.20.5/32 eq 22
30 deny ipv4 any any

e. Resequence (exit from the global configuration mode)

resequence access-list ipv4 <ACL NAME> <START NUMBER> <INCREMENT>

<1-2147483646> Starting number
<1-2147483646> Increment

Sample config:
RP/0/RSP0/CPU0:IOS-XR#resequence access-list ipv4 acl_123 10 10

f. Show the new access-list

RP/0/RSP0/CPU0:IOS-XR#show access-lists acl_123

ipv4 access-list acl_123
10 permit tcp 192.168.10.8/32 192.168.20.5/32 eq 22
20 permit tcp 172.16.0.10.8/32 192.168.20.5/32 eq 22
30 permit tcp 192.168.11.8/32 192.168.20.5/32 eq 22
40 permit tcp 172.16.1.10.8/32 192.168.20.5/32 eq 22
50 deny ipv4 any any

Cisco Nexus OS

a. Show the existing access-list

NX-OS# show ip access-lists acl_123

IP access list acl_123
10 permit tcp 192.168.10.8/32 192.168.20.5/32 eq 22
20 permit tcp 172.16.0.10.8/32 192.168.20.5/32 eq 22
30 deny ip any any

b. Add the new access list before the last deny rule

NX-OS(config-acl)#ip access-lists acl_123
NX-OS(config-acl)#21 permit tcp 192.168.11.8/32 192.168.20.5/32 eq 22
NX-OS(config-acl)#22 permit tcp 172.16.1.10.8/32 192.168.20.5/32 eq 22

c. Commit configuration (Not applicable for Nexus OS, it will take effect right away once config. You can do “copy run start” to save configuration)

d. Show the new access-list

NX-OS(config-acl)# show ip access-lists acl_123

IP access list ACL_123
10 permit tcp 192.168.10.8/32 192.168.20.5/32 eq 22
20 permit tcp 172.16.0.10.8/32 192.168.20.5/32 eq 22
21 permit tcp 192.168.11.8/32 192.168.20.5/32 eq 22
22 permit tcp 172.16.1.10.8/32 192.168.20.5/32 eq 22
30 deny ip any any

e. Resequence (exit from the global configuration mode)

 resequence ip access-list <ACL NAME> <START NUMBER> <INCREMENT>

<1-4294967295> Starting sequence number
<1-4294967295> Step to increment the sequence number

Sample config:
NX-OS(config)# resequence ip access-list acl_123 10 10

f. Show the new access-list

NX-OS(config-acl)# show ip access-lists acl_123

IP access list ACL_123
10 permit tcp 192.168.10.8/32 192.168.20.5/32 eq 22
20 permit tcp 172.16.0.10.8/32 192.168.20.5/32 eq 22
30 permit tcp 192.168.11.8/32 192.168.20.5/32 eq 22
40 permit tcp 172.16.1.10.8/32 192.168.20.5/32 eq 22
50 deny ip any any

Cisco

access-list ios-xe IOS-XR iox nx-os resequence

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *