Inserting an ACL Rule

When entering an ACL rule, the new rule is appended to the end of the ACL by default. A new ACL rule can be inserted into a specified entry location using the insert before command.

The following example displays an extended ACL 121 and inserts a new entry 2 with a deny rule for source IP address 20.0.0.1 and destination IP address any:

System(rw-config)->ip access-list extended 121
System(rw-cfg-ext-acl)->show access-lists 121
Extended IP access list 121 (5 entries)
  1 deny   ip  10.0.0.1  0.0.255.255  any
  2 deny   ip  30.0.0.1  0.0.255.255  any
  3 deny   ip  40.0.0.1  0.0.255.255  any
  4 permit ip  any  any
  -- implicit deny all --
System(rw-cfg-ext-acl)->insert before 2 deny ip 20.0.0.1 0.0.255.255 any
System(rw-cfg-ext-acl)->show access-lists 121
Extended IP access list 121 (6 entries)
  1 deny   ip  10.0.0.1  0.0.255.255  any
  2 deny   ip  20.0.0.1  0.0.255.255  any
  3 deny   ip  30.0.0.1  0.0.255.255  any
  4 deny   ip  40.0.0.1  0.0.255.255  any
  5 permit ip  any  any
  -- implicit deny all --

This example enters configuration mode for extended IPv6 access list acl10 and inserts a rule before entry 10 that permits packets with a source address for host 2002:100::50 and a destination address of 2001:100::100:25/64 with a ToS value of 6:

System(rw-config)->ipv6 access-list standard acl10
System(rw-cfg-ipv6-ext-acl)->insert before 10 permit host 2002:100::50 2001:100::100:25/64 traffic-class 6
System(rw-cfg-ipv6-ext-acl)->