Inserting or adding an ACE to an ACL
These rules apply to all IPv4 ACEs you create or edit using the CLI:
- Named IPv4 ACLs:
Add an ACE to the end of a named ACE by using the
ip access-list
command to enter the Named ACL (nacl
) context and entering the ACE without the sequence number.For example, if you wanted to add a "permit" ACL at the end of a list named "List-1" to allow traffic from the device at 10.10.10.100:switch(config)# ip access-list standard List-1
Insert an ACE anywhere in a named ACL by specifying a sequence number. For example, if you wanted to insert a new ACE as line 15 between lines 10 and 20 in an existing ACL named "List-2" to deny IPv4 traffic from the device at 10.10.10.77:switch(config-std-nacl)# permit host 10.10.10.100
switch(config)# ip access-list standard List-2
switch(config-std-nacl)# 15 deny host 10.10.10.77
- Numbered IPv4 ACLs:
Add an ACE to the end of a numbered ACL by using the
access-list <1-99|100-199>
command. For example, if you wanted to add a "permit" ACE at the end of a list identified with the number "11" to allow IPv4 traffic from the device at 10.10.10.100:
To insert an ACE anywhere in a numbered ACL, use the same process as described above for inserting an ACE anywhere in a named ACL. For example, to insert an ACE denying IPv4 traffic from the host at 10.10.10.77 as line 52 in an existing ACL identified (named) with the number 11:switch(config)# access-list 11 permit host 10.10.10.100
switch(config)# ip access-list standard 99
switch(config-std-nacl)# 52 deny host 10.10.10.77
NOTE:After a numbered ACL has been created (using
access-list <1-99|100-199>
), it can be managed as either a named or numbered ACL.
-
Deleting an ACE: Enter the ACL context and delete the sequence number for the unwanted ACE. (To view the sequence numbers of the ACEs in a list, use
show access-list <acl-name-str> config
.) -
Duplicate ACEs are not allowed in the same ACL. Attempting to enter a duplicate ACE displays the
Duplicate access control entry
message.