When entering an ACL rule, the new rule is appended to the end of the ACL by default. A new ACL rule can be inserted into a specified entry location using the insert before command.
The following example displays an extended ACL 121 and inserts a new entry 2 with a deny rule for source IP address 20.0.0.1 and destination IP address any:
System(rw-config)->ip access-list extended 121 System(rw-cfg-ext-acl)->show access-lists 121 Extended IP access list 121 (5 entries) 1 deny ip 10.0.0.1 0.0.255.255 any 2 deny ip 30.0.0.1 0.0.255.255 any 3 deny ip 40.0.0.1 0.0.255.255 any 4 permit ip any any -- implicit deny all -- System(rw-cfg-ext-acl)->insert before 2 deny ip 20.0.0.1 0.0.255.255 any System(rw-cfg-ext-acl)->show access-lists 121 Extended IP access list 121 (6 entries) 1 deny ip 10.0.0.1 0.0.255.255 any 2 deny ip 20.0.0.1 0.0.255.255 any 3 deny ip 30.0.0.1 0.0.255.255 any 4 deny ip 40.0.0.1 0.0.255.255 any 5 permit ip any any -- implicit deny all --
This example enters configuration mode for extended IPv6 access list acl10 and inserts a rule before entry 10 that permits packets with a source address for host 2002:100::50 and a destination address of 2001:100::100:25/64 with a ToS value of 6:
System(rw-config)->ipv6 access-list standard acl10 System(rw-cfg-ipv6-ext-acl)->insert before 10 permit host 2002:100::50 2001:100::100:25/64 traffic-class 6 System(rw-cfg-ipv6-ext-acl)->
This example enters configuration mode for the list1 L2 ACL and inserts at list sequence 5 a permit entry for packets containing (verbose logging is enabled for the inserted entry):
System(rw-config)->l2 access-list list1 System(rw-cfg-l2-acl)->insert before 5 permit any host 00:11:88:fd:8e:f0 vlan 11 13 ethertype 800 log-verbose System(rw-cfg-l2-acl)->