The CLI provides the capability for editing in the switch by using sequence numbers to insert or delete individual ACEs. An offline method is also available. This section describes using the CLI for editing ACLs.
You can use the CLI to delete individual ACEs from anywhere in an ACL, append new ACEs to the end of an ACL, and insert new ACEs anywhere within an ACL.
-
-
When you enter a new ACE in a named ACL without specifying a sequence number, the switch inserts the ACE as the last entry in the ACL.
-
When you enter a new ACE in a named ACL and include a sequence number, the switch inserts the ACE according to the position of the sequence number in the current list of ACEs.
-
-
Numbered ACLs: When using the
access-list <1-99|100-199>
command to create or add ACEs to a numbered ACL, each new ACE you enter is added to the end of the current list. (This command does not offer a<
option for including a sequence number to enable inserting an ACE at other points in the list.) Note, however, that once a numbered list has been created, you have the option of accessing it in the same way as a named list by using theseq-#
>ip access-list <standard|extended>
command. This enables you to edit a numbered list in the same way that you would edit a named list. (See the next item in this list.) -
You can delete any ACE from any ACL (named or numbered) by using the
ip access-list
command to enter the ACL's context, and then using theno <
command, see Deleting an ACE from an existing ACL.seq-#
> -
Deleting the last ACE from an ACL leaves the ACL in memory. In this case, the ACL is "empty" and cannot perform any filtering tasks. (In any ACL the Implicit Deny does not apply unless the ACL includes at least one explicit ACE.)
The ACEs in any ACL are sequentially numbered. In the default state, the sequence number of the first ACE in a list is "10" and subsequent ACEs are numbered in increments of 10. For example, the following show run
output lists three ACEs with default numbering in a list named "My-List":
You can add an ACE to the end of a named or numbered ACL by using either access-list
for numbered ACLs or ip access-list
for named ACLs:
For example, to append a fourth ACE to the end of the ACL in The default sequential numbering for ACEs:
|
|
NOTE: When using the |
|
|
This action uses a sequence number to specify where to insert a new ACE into an existing sequence of ACLs.
Syntax:
The first command enters the "Named-ACL" context for the specified ACL. The remaining two commands insert a new ACE in a standard or extended ACL, respectively.
NOTE: For the HP Switch 2620-series, entering an ACE that would result in an out-of-range sequence number that is not allowed. Use the resequence command to free up ACE numbering availability in the ACL. See Resequencing the ACEs in an ACL.
To insert a new ACE between existing ACEs in a list:
-
Use
ip access-list
to enter the "Named-ACL" (nacl
) context of the ACE. This applies regardless of whether the ACE was originally created as a numbered ACL or a named ACL. -
Begin the ACE command with a sequence number that identifies the position you want the ACE to occupy. (The sequence number range is 1-2147483647).
-
Complete the ACE with the Command syntax appropriate for thetype of ACL you are editing.
For example, inserting a new ACE between the ACEs numbered 10 and 20 in figure -48 requires a sequence number in the range of 11-19 for the new ACE.
In the following example, the first two ACEs entered become lines 10 and 20 in the list. The third ACE entered is configured with a sequence number of 15 and is inserted between lines 10 and 20.
This action uses ACL sequence numbers to delete ACEs from an ACL.
Syntax:
-
To find the sequence number of the ACE you want to delete, use
show run
orshow access-list <
to view the ACL.name-str
|1-99|100-199> -
Use
ip access-list
to enter the "Named-ACL" (nacl
) context of the ACE. This applies regardless of whether the ACE was originally created as a numbered ACL or a named ACL. -
In the "Named-ACL" context, type
no
and enter the sequence number of the ACE you want to delete.
This action reconfigures the starting sequence number for ACEs in an ACL, and resets the numeric interval between sequence numbers for ACEs configured in the ACL.
Syntax:
ip access-list resequence <name-str|1–99|100–199>
<
starting-seq-#
> <interval
>Resets the sequence numbers for all ACEs in the ACL.
Specifies the sequence number for the first ACE in the list. (Default: 10; Range: 1 – 2147483647)
Specifies the interval between sequence numbers for the ACEs in the list. (Default: 10; Range: 1–2147483647)
This example resequences the "My-List" ACL at the bottom of figure so that the list begins with line 100 and uses a sequence interval of 100.
Viewing and resequencing an ACL
HP Switch(config)# show run . . . ip access-list standard "My-List" 10 permit 10.10.10.25 0.0.0.0 15 deny 10.10.10.1 0.0.0.255 30 deny 10.20.10.1 0.0.0.255 40 permit 0.0.0.0 255.255.255.255 exit . . . HP Switch(config)# ip access-list resequence My-List 100 100 HP Switch(config)# show run . . . ip access-list standard "My-List" 100 permit 10.10.10.25 0.0.0.0 200 deny 10.10.10.1 0.0.0.255 300 deny 10.20.10.1 0.0.0.255 400 permit 0.0.0.0 255.255.255.255 exit
A remark is numbered in the same way as an ACE, and uses the same sequence number as the ACE to which it refers. This operation requires that the remark for a given ACE be entered prior to entering the ACE itself.
Syntax:
This syntax appends a remark to the end of a numbered ACL and automatically assigns a sequence number to the remark. The next command entry should be the ACE to which the remark belongs. (The new ACE will automatically be numbered with the same sequence number as was used for the preceding remark.)
Syntax:
ip access-list <standard|extended> <
name-str
|1-99|100-199> [seq-#]remark <remark-str
> no <seq-#
> remarkThis syntax applies to both named and numbered ACLs. Without an optional sequence number, the remark is appended to the end of the list and automatically assigned a sequence number. When entered with an optional sequence number, the remark is inserted in the list according to the numeric precedence of the sequence number. The
no
form of the command deletes the indicated remark, but does not affect the related ACE.
To associate a remark with a specific ACE, enter the remark first, and then enter the ACE.
Entering a remark without a sequence number and then entering an ACE without a sequence number results in the two entries being automatically paired with the same sequence number and appended to the end of the current ACL.
Entering a remark with a sequence number and then entering an ACE with the same sequence number results in the two entries being paired together and positioned in the list according to the sequence number they share.
|
|
NOTE: After a numbered ACL has been created (using |
|
|
To include a remark for an ACE that will be appended to the end of the current ACL, enter the remark first, then enter the related ACE. This results in the remark and the subsequent ACE having the same sequence number. For example, to add remarks using the "Named-ACL" (nacl
) context:
You can also perform the operation illustrated in Appending a remark and its related ACE to the end of an ACL by using the numbered, access-list <1-99|100-199>
syntax shown at the beginning of this section.
To insert an ACE with a remark within an ACL by specifying a sequence number, insert the numbered remark first, then, using the same sequence number, insert the ACE. This operation applies only to ACLs accessed using the "Named-ACL" (nacl
) context.
If a sequence number is already assigned to an ACE in a list, you cannot insert a remark by assigning it to the same number. (To configure a remark with the same number as a given ACE, the remark must be configured first.) To assign a remark to the same number as an existing ACE:
-
The
resequence
command ignores "orphan" remarks that do not have an ACE counterpart with the same sequence number. For example, if:then the remark retains "55" as its sequence number and will be placed in the renumbered version of the ACL according to that sequence number.
-
Entering an unnumbered remark followed by a numbered ACE, or the reverse, creates an "orphan" remark. The unnumbered entry will be assigned a sequence number that is an increment from the last ACE in the list. The numbered entry will then be placed sequentially in the list according to the sequence number used.
-
Configuring two remarks without either sequence numbers or an intervening, unnumbered ACE results in the second remark overwriting the first.