Towards editing ACLs, disables the default restriction on conflicting rules within an ACL. You can then create a conflicting rule before deleting the previous version.
Conflicting rules are not allowed within an ACL.
ACL policy mode
If the only difference between two rules is that one is a deny and the other a hard-drop, they are not considered conflicting. However, they are considered duplicates; refer to the allow-duplicate-rules topic.
Towards modifying ACL rules, you do not need to first remove ACLs from interfaces. Changes are implemented "on the fly," with no gap in protection.
We recommend that after ACL-editing sessions towards which you enabled allow-conflicting-rules, restore the default setting—by entering the no allow-conflicting-rules command.
Entering no allow-conflicting-rules launches a check of all ACLs for conflicting rules. If you did not immediately restore the default setting, and created ACLs with conflicting rules, you will need to delete conflicting rules before the software accepts no allow-conflicting-rules.
device# show running-config mac access-list extended mac1 mac access-list extended mac1 seq 10 permit host 0001.0001.0001 any seq 20 deny host 0001.0001.0002 any count seq 30 hard-drop host 0001.0001.0003 any mirror
device# configure terminal device(config)# acl-policy device(config-acl-policy)# allow-conflicting-rules
device(config-acl-policy)# exit device(config)# mac access-list mac1 device(conf-macl-ext)# seq 21 permit host 0001.0001.0002 any count device(conf-macl-ext)# no seq 20
device(conf-macl-ext)# exit device(config)# acl-policy device(config-acl-policy)# no allow-conflicting-rules