Editing an existing ACL

The CLI provides the capability for editing in the switch by using sequence numbers to insert or delete individual ACEs. An offline method is also available. This section describes using the CLI for editing ACLs.

Using the CLI to edit ACLs

You can use the CLI to delete individual ACEs from anywhere in an ACL, append new ACEs to the end of an ACL, and insert new ACEs anywhere within an ACL.

General editing rules

  • Named ACLs:

    • When you enter a new ACE in a named ACL without specifying a sequence number, the switch inserts the ACE as the last entry in the ACL.

    • When you enter a new ACE in a named ACL and include a sequence number, the switch inserts the ACE according to the position of the sequence number in the current list of ACEs.

  • Numbered ACLs: When using the access-list <1-99|100-199> command to create or add ACEs to a numbered ACL, each new ACE you enter is added to the end of the current list. (This command does not offer a <seq-#> option for including a sequence number to enable inserting an ACE at other points in the list.) Note, however, that once a numbered list has been created, you have the option of accessing it in the same way as a named list by using the ip access-list <standard|extended> command. This enables you to edit a numbered list in the same way that you would edit a named list. (See the next item in this list.)

  • You can delete any ACE from any ACL (named or numbered) by using the ip access-list command to enter the ACL's context, and then using the no <seq-#> command, see Deleting an ACE from an existing ACL.

  • Deleting the last ACE from an ACL leaves the ACL in memory. In this case, the ACL is "empty" and cannot perform any filtering tasks. (In any ACL the Implicit Deny does not apply unless the ACL includes at least one explicit ACE.)

Sequence numbering in ACLs

The ACEs in any ACL are sequentially numbered. In the default state, the sequence number of the first ACE in a list is "10" and subsequent ACEs are numbered in increments of 10. For example, the following show run output lists three ACEs with default numbering in a list named "My-List":

The default sequential numbering for ACEs

The default sequential numbering for ACEs

You can add an ACE to the end of a named or numbered ACL by using either access-list for numbered ACLs or ip access-list for named ACLs:

Adding an ACE to the end of numbered or named ACLs

Adding an ACE to the end of numbered or named ACLs

For example, to append a fourth ACE to the end of the ACL in The default sequential numbering for ACEs:

Appending an ACE to an existing list

Appending an ACE to an existing list

[NOTE: ]

NOTE: When using the access-list <1-99|100-199> <permit|deny> <SA> command to create an ACE for a numbered ACL, the ACE is always added to the end of the current list and given the appropriate sequence number. However, once a numbered list has been created, you can use the ip access-list command to open it as a named ACL and specify a nondefault sequence number, as described in the next section.


Inserting an ACE in an existing ACL

This action uses a sequence number to specify where to insert a new ACE into an existing sequence of ACLs.

Syntax:

ip access-list <standard|extended> <name-str|1-99|100-199>

<1-2147483647> <permit|deny> <standard-acl-ip-criteria> [log]

<1-2147483647> <permit|deny> <extended-acl-ip-criteria> [options]

The first command enters the "Named-ACL" context for the specified ACL. The remaining two commands insert a new ACE in a standard or extended ACL, respectively.


[NOTE: ]

NOTE: For the HP Switch 2620-series, entering an ACE that would result in an out-of-range sequence number that is not allowed. Use the resequence command to free up ACE numbering availability in the ACL. See Resequencing the ACEs in an ACL.


To insert a new ACE between existing ACEs in a list:

  1. Use ip access-list to enter the "Named-ACL" (nacl) context of the ACE. This applies regardless of whether the ACE was originally created as a numbered ACL or a named ACL.

  2. Begin the ACE command with a sequence number that identifies the position you want the ACE to occupy. (The sequence number range is 1-2147483647).

  3. Complete the ACE with the Command syntax appropriate for thetype of ACL you are editing.

For example, inserting a new ACE between the ACEs numbered 10 and 20 in figure -48 requires a sequence number in the range of 11-19 for the new ACE.

Inserting an ACE in an existing ACL

Inserting an ACE in an existing ACL

In the following example, the first two ACEs entered become lines 10 and 20 in the list. The third ACE entered is configured with a sequence number of 15 and is inserted between lines 10 and 20.

Inserting an ACE into an existing sequence

Inserting an ACE into an existing sequence

Deleting an ACE from an existing ACL

This action uses ACL sequence numbers to delete ACEs from an ACL.

Syntax:

ip access-list <standard|extended> <name-str|1-99|100-199>

no <seq-#>

The first command enters the "Named-ACL" context for the specified ACL. The no command deletes the ACE corresponding to the sequence number entered.

Range: 1–2147483647

  1. To find the sequence number of the ACE you want to delete, use show run or show access-list <name-str|1-99|100-199> to view the ACL.

  2. Use ip access-list to enter the "Named-ACL" (nacl) context of the ACE. This applies regardless of whether the ACE was originally created as a numbered ACL or a named ACL.

  3. In the "Named-ACL" context, type no and enter the sequence number of the ACE you want to delete.

Deleting an ACE from any ACL

Deleting an ACE from any ACL

Resequencing the ACEs in an ACL

This action reconfigures the starting sequence number for ACEs in an ACL, and resets the numeric interval between sequence numbers for ACEs configured in the ACL.

Syntax:

ip access-list resequence <name-str|1–99|100–199>

<starting-seq-#> <interval>

Resets the sequence numbers for all ACEs in the ACL.

<starting–seq-#>

Specifies the sequence number for the first ACE in the list. (Default: 10; Range: 1 – 2147483647)

<interval>

Specifies the interval between sequence numbers for the ACEs in the list. (Default: 10; Range: 1–2147483647)

  1. To view the current sequence numbering in an ACE, use show run or show access-list <name-str|1-99|100-199>.

  2. Use the Command syntax (above) to change the sequence numbering.

This example resequences the "My-List" ACL at the bottom of figure so that the list begins with line 100 and uses a sequence interval of 100.

Viewing and resequencing an ACL

HP Switch(config)# show run
. . .
ip access-list standard "My-List"
   10 permit 10.10.10.25 0.0.0.0
   15 deny 10.10.10.1 0.0.0.255
   30 deny 10.20.10.1 0.0.0.255
   40 permit 0.0.0.0 255.255.255.255
   exit
. . .
HP Switch(config)# ip access-list resequence My-List 100 100
HP Switch(config)# show run
. . .
ip access-list standard "My-List"
   100 permit 10.10.10.25 0.0.0.0
   200 deny 10.10.10.1 0.0.0.255
   300 deny 10.20.10.1 0.0.0.255
   400 permit 0.0.0.0 255.255.255.255
  exit

Attaching a remark to an ACE

A remark is numbered in the same way as an ACE, and uses the same sequence number as the ACE to which it refers. This operation requires that the remark for a given ACE be entered prior to entering the ACE itself.

Syntax:

access-list <1-99|100-199> remark <remark-str>

This syntax appends a remark to the end of a numbered ACL and automatically assigns a sequence number to the remark. The next command entry should be the ACE to which the remark belongs. (The new ACE will automatically be numbered with the same sequence number as was used for the preceding remark.)

Syntax:

ip access-list <standard|extended> <name-str|1-99|100-199> [seq-#]remark <remark-str> no <seq-#> remark

This syntax applies to both named and numbered ACLs. Without an optional sequence number, the remark is appended to the end of the list and automatically assigned a sequence number. When entered with an optional sequence number, the remark is inserted in the list according to the numeric precedence of the sequence number. The no form of the command deletes the indicated remark, but does not affect the related ACE.

To associate a remark with a specific ACE, enter the remark first, and then enter the ACE.

  • Entering a remark without a sequence number and then entering an ACE without a sequence number results in the two entries being automatically paired with the same sequence number and appended to the end of the current ACL.

  • Entering a remark with a sequence number and then entering an ACE with the same sequence number results in the two entries being paired together and positioned in the list according to the sequence number they share.


[NOTE: ]

NOTE: After a numbered ACL has been created (using access-list <1-99|100-199>), it can be managed as either a named or numbered ACL. For example, in an existing ACL with a numeric identifier of "115", either of the following command sets adds an ACE denying IPv4 traffic from any source to a host at 10.10.10.100:

HP Switch(config)# access-list 115 deny ip host 10.10.10.100
HP Switch(config)# ip access-list extended 115
HP Switch(config-ext-nacl)# deny ip any 10.10.10.100

Appending remarks and related ACEs to the end of an ACL

To include a remark for an ACE that will be appended to the end of the current ACL, enter the remark first, then enter the related ACE. This results in the remark and the subsequent ACE having the same sequence number. For example, to add remarks using the "Named-ACL" (nacl) context:

Appending a remark and its related ACE to the end of an ACL

Appending a remark and its related ACE to the end of an ACL

You can also perform the operation illustrated in Appending a remark and its related ACE to the end of an ACL by using the numbered, access-list <1-99|100-199> syntax shown at the beginning of this section.

Inserting remarks and related ACEs within an existing list

To insert an ACE with a remark within an ACL by specifying a sequence number, insert the numbered remark first, then, using the same sequence number, insert the ACE. This operation applies only to ACLs accessed using the "Named-ACL" (nacl) context.

Inserting remarks

Inserting remarks

Inserting a remark for an ACE that already exists in an ACL

If a sequence number is already assigned to an ACE in a list, you cannot insert a remark by assigning it to the same number. (To configure a remark with the same number as a given ACE, the remark must be configured first.) To assign a remark to the same number as an existing ACE:

  1. Delete the ACE.

  2. Configure the remark with the number you want assigned to the pair.

  3. Re-Enter the deleted ACE with the number used to enter the remark.

Removing a remark from an existing ACE

If you want to remove a remark, but want to retain the ACE, do the following:

  1. Use the Named ACL context to enter the ACL.

  2. Using show run or show access-list <list-name> config, note the sequence number and content of the ACE having a remark you want to remove.

  3. Delete the ACE.

  4. Using the same sequence number, re-enter the ACE.

Operating notes for remarks

  • The resequence command ignores "orphan" remarks that do not have an ACE counterpart with the same sequence number. For example, if:

    • a remark numbered "55" exists in an ACE

    • there is no ACE numbered "55" in the same ACL

    • resequence is executed on an ACL

    then the remark retains "55" as its sequence number and will be placed in the renumbered version of the ACL according to that sequence number.

  • Entering an unnumbered remark followed by a numbered ACE, or the reverse, creates an "orphan" remark. The unnumbered entry will be assigned a sequence number that is an increment from the last ACE in the list. The numbered entry will then be placed sequentially in the list according to the sequence number used.

  • Configuring two remarks without either sequence numbers or an intervening, unnumbered ACE results in the second remark overwriting the first.

Overwriting one remark with another

Overwriting one remark with another