In our previous series on Cisco IOS Access-lists Part 1 and Part 2 , we covered all the basics of ACL’s and went through a real-world example. In the past, it was not possible to edit an ACL. Now, the impossible is possible with IOS 12.2 or later. In this article, you’ll learn how you can edit your access-list by using line numbers. This will prevent you from having to remove, and recreate, your ACL whenever you need to modify it.
Creating the ACL with the ip access-list command
The key to being able to edit an ACL is to use the ip access-list command. Let me show you how it’s done. To start off, let’s create an ACL, like this: This is an over simplified ACL that we are using as a simple example. Notice how we used a named ACL called “MyACL”. We could have also used a numbered ACL and we would have still been able to edit the ACL. Also note how we were taken to the prompt that looked like this: Router (config-ext-nacl)# Finally, you should see that the numbers at the start of each line were manually typed in, and are only there to make the lines unique and individually removable later. The line numbers also specify in what order that the ACL lines will be processed (ACL’s are processed from the top down, or lowest line number down). We could have created this ACL with the ip access-list, or just regular access-list command. This means that you can edit ACL’s you already have in use, using the ip access-list command.
Editing the ACL with the ip access-list command
Next, let’s say that I want to edit the line that references host 188.8.131.52. In the past, I would have had to copy the ACL to a text editor (like Windows Notepad), remove the ACL on the router (during which time all traffic is allowed), edit the ACL in the text editor, and paste the ACL back into the router. This is a time consuming, and insecure, process to go through to edit a single line on an ACL. Now, you can edit your ACL’s with one caveat. You can remove and insert individual lines of an ACL but you cannot edit lines, in place, on the router. Let’s look at an example. To edit the line that references host 184.108.40.206, here is how you would do it: I went into the named ACL add/edit mode. In this mode I can add more lines to the end of the ACL, remove lines in the ACL, or insert lines in the middle of the ACL. In this case, I needed to edit the line with the “host 220.127.116.11” on it. I couldn’t actually edit that line on the router but I can easily remove it and re-add it. I did this without ever having to modify any other part of the ACL. To do this, I simply removed the existing line 500, replacing with no 500, then I added the new line 500 permit ip any host 18.104.22.168. By doing this, I reversed the source and destination that was permitted in this ACL. Let’s see what the entire ACL looks like with a show command:
Using the show ip access-list command, you can see the entire ACL with the line numbers. You can also see how the line with “host 22.214.171.124” is different from the way we originally entered it. As a sidenote here, you don’t actually have to enter the line numbers when you CREATE the ACL. The Cisco IOS will automatically generate sequential line numbers for you.
Inserting line in an ACL
By going back into ACL Edit mode, you could also insert a line in between the other lines. For example, you could do this:
In summary, the ability to edit Cisco IOS ACL’s is a very powerful and time saving feature. In addition, by being able to edit the ACL’s, you don’t have to remove them and re-add them. In the past, when you had to remove them, your users or application would have suffered either: downtime (because you would have to shutdown the interface to protect the network), or lack of protection (because you would have to leave the interface without an ACL). Because we can now add, remove, and insert line numbers, we are all better off. More information on Cisco IOS named access lists can be found at the Cisco Command Reference for ip access-list website.
You might also want to read the following related articles: