How to Edit Cisco IOS ACL's Using Line Numbers

[Kalyan]

How to Edit Cisco IOS ACL's Using Line Numbers

Creating the ACL with the ip access-list command

The key to being able to edit an ACL is to use the ip access-list command. Let me show you how it's done.

To start off, let's create an ACL, like this:

This is an over simplified ACL that we are using as a simple example. Notice how we used a named ACL called "MyACL". We could have also used a numbered ACL and we would have still been able to edit the ACL. Also note how we were taken to the prompt that looked like this:

Router (config-ext-nacl)#

Finally, you should see that the numbers at the start of each line were manually typed in, and are only there to make the lines unique and individually removable later. The line numbers also specify in what order that the ACL lines will be processed (ACL's are processed from the top down, or lowest line number down). We could have created this ACL with the ip access-list, or just regular access-list command. This means that you can edit ACL's you already have in use, using the ip access-list command.

Editing the ACL with the ip access-list command

Next, let's say that I want to edit the line that references host 5.5.5.5. In the past, I would have had to copy the ACL to a text editor (like Windows Notepad), remove the ACL on the router (during which time all traffic is allowed), edit the ACL in the text editor, and paste the ACL back into the router. This is a time consuming, and insecure, process to go through to edit a single line on an ACL.

Now, you can edit your ACL's with one caveat. You can remove and insert individual lines of an ACL but you cannot edit lines, in place, on the router. Let's look at an example.

To edit the line that references host 5.5.5.5, here is how you would do it:

I went into the named ACL add/edit mode. In this mode I can add more lines to the end of the ACL, remove lines in the ACL, or insert lines in the middle of the ACL.

In this case, I needed to edit the line with the "host 5.5.5.5" on it. I couldn't actually edit that line on the router but I can easily remove it and re-add it. I did this without ever having to modify any other part of the ACL. To do this, I simply removed the existing line 500, replacing with no 500, then I added the new line 500 permit ip any host 5.5.5.5. By doing this, I reversed the source and destination that was permitted in this ACL.

Let's see what the entire ACL looks like with a show command:


Using the show ip access-list command, you can see the entire ACL with the line numbers. You can also see how the line with "host 5.5.5.5" is different from the way we originally entered it.

As a sidenote here, you don't actually have to enter the line numbers when you CREATE the ACL. The Cisco IOS will automatically generate sequential line numbers for you.