General editing rules

  • Named ACLs:
    • When you enter a new ACE in a named ACL without specifying a sequence number, the switch inserts the ACE as the last entry in the ACL.

    • When you enter a new ACE in a named ACL and include a sequence number, the switch inserts the ACE according to the position of the sequence number in the current list of ACEs.

  • Numbered ACLs: When using the access-list <1-99|100-199> command to create or add ACEs to a numbered ACL, each new ACE you enter is added to the end of the current list. (This command does not offer a <seq-#> option for including a sequence number to enable inserting an ACE at other points in the list.) Note, however, that once a numbered list has been created, you have the option of accessing it in the same way as a named list by using the ip access-list <standard|extended> command. This enables you to edit a numbered list in the same way that you would edit a named list. (See the next item in this list.)

  • You can delete any ACE from any ACL (named or numbered) by using the ip access-list command to enter the ACL's context, and then using the no <seq-#> command, see Deleting an ACE from an existing ACL.

  • Deleting the last ACE from an ACL leaves the ACL in memory. In this case, the ACL is "empty" and cannot perform any filtering tasks. (In any ACL the Implicit Deny does not apply unless the ACL includes at least one explicit ACE.)