allow-conflicting-rules

Towards editing ACLs, disables the default restriction on conflicting rules within an ACL. You can then create a conflicting rule before deleting the previous version.

Syntax

allow-conflicting-rules
no allow-conflicting-rules

Command Default

Conflicting rules are not allowed within an ACL.

Modes

ACL policy mode

Usage Guidelines

If the only difference between two rules is that one is a deny and the other a hard-drop, they are not considered conflicting. However, they are considered duplicates; refer to the allow-duplicate-rules topic.

Towards modifying ACL rules, you do not need to first remove ACLs from interfaces. Changes are implemented "on the fly," with no gap in protection.

We recommend that after ACL-editing sessions towards which you enabled allow-conflicting-rules, restore the default setting—by entering the no allow-conflicting-rules command.

Entering no allow-conflicting-rules launches a check of all ACLs for conflicting rules. If you did not immediately restore the default setting, and created ACLs with conflicting rules, you will need to delete conflicting rules before the software accepts no allow-conflicting-rules.

Examples

When modifying ACLs by changing a rule from permit to deny or hard-drop—or vice versa—the following flow is typical.
  1. Enter the show running-config command to display the rules in the ACL that you need to modify.
    device# show running-config mac access-list extended mac1
    mac access-list extended mac1
     seq 10 permit host 0001.0001.0001 any
     seq 20 deny host 0001.0001.0002 any count
     seq 30 hard-drop host 0001.0001.0003 any mirror
    
  2. Enter the allow-conflicting-rules command.
    device# configure terminal
    device(config)# acl-policy
    device(config-acl-policy)# allow-conflicting-rules
    
  3. In the ACL that you need to modify, create the new rule and then delete the old rule.
    device(config-acl-policy)# exit
    device(config)# mac access-list mac1
    device(conf-macl-ext)# seq 21 permit host 0001.0001.0002 any count
    device(conf-macl-ext)# no seq 20
    
  4. Enter the no allow-conflicting-rules command to restore the default setting.
    device(conf-macl-ext)# exit
    device(config)# acl-policy
    device(config-acl-policy)# no allow-conflicting-rules