Inserting or adding an ACE to an ACL
These rules apply to all IPv4 ACEs you create or edit using the CLI:
- Named IPv4 ACLs: Add an ACE to the end of a named ACE by using the
ip access-list
command to enter the Named ACL (nacl
) context and entering the ACE without the sequence number. For example, if you wanted to add a "permit" ACL at the end of a list named "List-1" to allow traffic from the device at 10.10.10.100:switch(config)# ip access-list standard List-1
Insert an ACE anywhere in a named ACL by specifying a sequence number. For example, if you wanted to insert a new ACE as line 15 between lines 10 and 20 in an existing ACL named "List-2" to deny IPv4 traffic from the device at 10.10.10.77:switch(config-std-nacl)# permit host 10.10.10.100
switch(config)# ip access-list standard List-2
switch(config-std-nacl)# 15 deny host 10.10.10.77
- Numbered IPv4 ACLs : Add an ACE to the end of a numbered ACL by using the
access-list {<1 - 99 | [100 - 199>]}
command. For example, if you wanted to add a "permit" ACE at the end of a list identified with the number "11" to allow IPv4 traffic from the device at 10.10.10.100:switch(config)# access-list 11 permit host 10.10.10.100
To insert an ACE anywhere in a numbered ACL, use the same process as described above for inserting an ACE anywhere in a named ACL. For example, to insert an ACE denying IPv4 traffic from the host at 10.10.10.77 as line 52 in an existing ACL identified (named) with the number 11:switch(config)# ip access-list standard 99
switch(config-std-nacl)# 52 deny host 10.10.10.77
Duplicate ACEs are not allowed in the same ACL. Attempting to enter a duplicate ACE displays the
Duplicate access control entry
message.
NOTE:
After a numbered ACL has been created (using access-list 1-99 | 100-199), it can be managed as either a named or numbered ACL.