Back in the day, I didn’t have any white hairs, you could get a bag of potato chips for a quarter, kids didn’t behave badly, and numbered access-lists were all you had to work with in IOS.
If you still have numbered access-lists in your network (and I’ll bet you do), you probably hate working with them. After all, as I mentioned in my post on Active BGP Sessions, trying to remove a single line from a numbered ACL is not possible – you end up deleting the whole list!
Well actually that’s not quite true. Let’s find out why.
A Brief History of Numbered Access-Lists
Prior to IOS 11.2, numbered access-lists were the only option. The ACL number determined what kind of access-list it was, e.g.:
1-99 Standard IP Access-List 100-199 Extended IP Access-List 200-299 Protocol type-code access-list 300-399 DECnet access-list etc.
Although memorizing lists of ACL number ranges is great certification exam fodder, it was a truly annoying way to to things, and in some instances quite a limiting one – after all, you could only have 100 extended access-lists. This led later to the introduction of the range 1300-1999 – the “expanded range” for standard IP ACLs, and 2000-2699 as the expanded range for extended IP ACLs – handy if this affected you, but it’s another number range to remember.
Then in IOS 11.2, Cisco introduced named access-lists (for IP at least – some access-list types still can’t be named), and we never looked back. At least, we didn’t look back unless we were using one of the commands that had not yet been updated to allow reference to a named ACL instead of a numbered ACL.
Configuring Numbered Access-Lists
For years it has been the same way:
access-list 9 permit host 1.2.3.4 access-list 9 deny 10.1.3.0 0.0.0.255 access-list 9 permit 10.0.0.0 0.255.255.255
You didn’t need to say “ip access-list <n>…” because the number told you it was an IP access-list. And then to edit the access-list, well, uh, you can’t because as covered in the last post, this command:
no access-list 9 deny 10.1.3.0 0.0.0.255
…will delete the whole list. Typical techniques for managing these lists included:
- Copy the existing list into Notepad. Remove the lines you wanted removed or inserted, delete the list and then paste the full edited list back in. This has the obvious disadvantage of the fact that you have a list deleted for a period, and incomplete until you have finished pasting it back in. It’s particularly bad if that ACL is used for, say, the access-class on the VTY interface(*)…
- Copy the existing list into Notepad. Remove the lines you wanted removed or inserted, the search and replace to change the ACL number, then paste the newly numbered ACL in. Then, go find the commands that reference the old ACL, and update them to point to the new ACL.
(*) Yes, I know that only impacts new TCP connections and won’t cut you off immediately. It’s still risky.
Seriously, huge pain.
Treating a Numbered ACL like a Named ACL
Thankfully, there is a solution – but many people I’ve spoken to seem not to have come across it. You can – beginning when, I don’t know – actually configure a numbered ACL as if it were a named ACL. The examples I give here are all standard IP numbered access-lists, but the same works with extended IP access-lists too.
For example, consider these configuration commands:
access-list 9 permit host 1.2.3.4 access-list 9 deny 10.1.3.0 0.0.0.255 access-list 9 permit 10.0.0.0 0.255.255.255 ! ip access-list standard 9 no deny 10.1.3.0 0.0.0.255 end
Even though the ACL was created as a numbered access-list, we can edit it just like a named access-list (its name is “9”), and – as shown above – delete any individual entry. Here’s the proof:
R1#sh access-list 9 Standard IP access list 9 10 permit 1.2.3.4 30 permit 10.0.0.0, wildcard bits 0.255.255.255
What’s even cooler is that the entries have sequence numbers. So you can use those if you like to delete or insert entries:
R1(config)#ip access-list standard 9 R1(config-std-nacl)#no 10 R1(config-std-nacl)#15 permit host 10.1.3.5 R1(config-std-nacl)#20 deny 10.1.3.0 0.0.0.255 R1(config-std-nacl)#do sh access-list 9 Standard IP access list 9 15 permit 10.1.3.5 20 deny 10.1.3.0, wildcard bits 0.0.0.255 30 permit 10.0.0.0, wildcard bits 0.255.255.255
So now you can insert and delete entries in your numbered access-list at will! But what if you end up with a run of contiguous sequence numbers and you need to insert an ACL entry where there are no free numbers?
Resequencing ACLs
Named access-lists eventually brought with them the ability to be renumbered, initially in 12.2(14)S, then rolled into 12.2(15)T, so I imagine it’s on most devices you have running right now. It’s pretty simple – tell IOS what number to start at and what interval you want between numbers. In this example, let’s renumber ACL 9 starting at sequence 100 with an interval of 20 between the entries:
R1(config)#ip access-list resequence 9 100 20 R1(config)#do sh access-list 9 Standard IP access list 9 100 permit 1.2.3.4 120 permit 10.1.3.5 140 deny 10.1.3.0, wildcard bits 0.0.0.255 160 permit 10.0.0.0, wildcard bits 0.255.255.255
And it’s done! You’d think the same resequencing capability would be equally – if not more – useful for ip prefix-lists as well, but oddly it isn’t offered in regular IOS, though IOS XR users get a “resequence prefix-list ipv4” command, the lucky things. They are just soooo special.
Word To The Wise
When you reboot, ACLs renumber themselves.
This is important, so let it sink in for a moment. This applies to both named and numbered access-lists. There’s a clue to why this might be when you view ACLs in the configuration file:
ip access-list standard TEST permit 1.2.3.4 ! access-list 5 permit 1.2.3.4
Notice that neither style of configuration includes a sequence number? Right. So without that information stored in the configuration, how could IOS possibly recreate the same sequence numbers you had before after a cold boot? It can’t. If you’re used to working with prefix-lists where the sequence is stored and retained after a reload, this may be a bit of a shock. Sequence numbers on ACLs really are only there to allow you to insert or delete entries, and that’s it. You can’t use them to neatly organize your ACL entries (trust me, I tried once, and discovered this problem the hard way).
And The Point Is?
If you inherited numbered IP access-lists, don’t panic – just treat them as if they are named! Simples.
Just want to say this is awesome. I’ve been working with numbered ACLs for years and never thought this was possible. Thank you for the great tip.
Cool! Thanks, I didn’t know that one. Strange it isn’t included in CCNA.