When entering an ACL rule, the new rule is appended to the end of the ACL by default. A new ACL rule can be inserted into a specified entry location using the insert before command.
The following example displays an extended ACL 121 and inserts a new entry 2 with a deny rule for source IP address 20.0.0.1 and destination IP address any:
System(rw-config)->ip access-list extended 121 System(rw-cfg-ext-acl)->show access-lists 121 Extended IP access list 121 (5 entries) 1 deny ip 10.0.0.1 0.0.255.255 any 2 deny ip 30.0.0.1 0.0.255.255 any 3 deny ip 40.0.0.1 0.0.255.255 any 4 permit ip any any -- implicit deny all -- System(rw-cfg-ext-acl)->insert before 2 deny ip 20.0.0.1 0.0.255.255 any System(rw-cfg-ext-acl)->show access-lists 121 Extended IP access list 121 (6 entries) 1 deny ip 10.0.0.1 0.0.255.255 any 2 deny ip 20.0.0.1 0.0.255.255 any 3 deny ip 30.0.0.1 0.0.255.255 any 4 deny ip 40.0.0.1 0.0.255.255 any 5 permit ip any any -- implicit deny all --
This example enters configuration mode for extended IPv6 access list acl10 and inserts a rule before entry 10 that permits packets with a source address for host 2002:100::50 and a destination address of 2001:100::100:25/64 with a ToS value of 6:
System(rw-config)->ipv6 access-list standard acl10 System(rw-cfg-ipv6-ext-acl)->insert before 10 permit host 2002:100::50 2001:100::100:25/64 traffic-class 6 System(rw-cfg-ipv6-ext-acl)->