Keep IP access lists ordered properly

The order of deny and permit statements has a major impact on how Cisco IOS interprets IP access lists. For this reason, it’s helpful to have a way to easily control the order of lines and insert a line in a given position without having to rewrite the entire list.

In the old days, each line you inserted got appended to the end of the list. To insert a line midway, you’d have to remove all the lines after that point, and then insert your line along with everything that comes after it. But with sequence numbers, you can easily insert a line wherever it should go. (Note that sequence numbers for lines are different from numbered access lists.)

To make changes to your IP access list, specify the access list by name when in EXEC / global configuration mode. Then enter a permit or deny statement with a sequence number before the “permit” or “deny” keyword. To remove a line, simply type “no” followed by the sequence number.

Note that if you don’t use sequence numbers, IOS automatically numbers lines in increments of 10. Theoretically, this could cause you to exceed the maximum allowable sequence numbers, although that’s unlikely unless you have more than 214,748,364 lines. Nevertheless, you may want to renumber the lines after you’ve inserted some, so that the spaces between consecutive sequence numbers are consistent. To renumber the lines, simply use the “ip access-list resequence” command followed the list name, the first sequence number, and the number you want to increment between lines.

For example, the following command would renumber the existing lines according to the sequence 5, 10, 15…:

ip access-list resequence Foo 5 5


