KB.15.15

Sequence numbering in ACLs

The ACEs in any ACL are sequentially numbered. In the default state, the sequence number of the

first ACE in a list is "10" and subsequent ACEs are numbered in increments of 10. For example,

the following show run output lists three ACEs with default numbering in a list named "My-List":

Figure 232 The default sequential numbering for ACEs

You can add an ACE to the end of a named or numbered ACL by using either access-listfor

numbered ACLs or ip access-list for named ACLs:

Figure 233 The default sequential numbering for ACEs

Figure 234 Adding an ACE to the end of numbered or named ACLs

Figure 235 Appending an ACE to an existing list

For example, to append a fourth ACE to the end of the ACL in the following figure:

NOTE: When using the

access-list < 1 - 99 | 100 - 199 > < permit | deny >

< SA > command to create an ACE for a numbered ACL, the ACE is always added to the end of

the current list and given the appropriate sequence number. However, once a numbered list has

been created, you can use the ip access-list command to open it as a named ACL and

specify a nondefault sequence number, as described in the next section.

IPv4 ACL configuration and operating rules

RACLs and routed IPv4 traffic

Except for any IPv4 traffic with a DA on the switch itself, RACLs filter only routed IPv4 traffic

that is entering or leaving the switch on a given VLAN. Thus, if routing is not enabled on the

switch, there is no routed traffic for RACLs to filter. For more on routing, see the latest Multicast

and Routing Guide for your switch.

320 IPv4 Access Control Lists (ACLs)