ACL Sequence Number Help

Answered Question
Mar 16th, 2010

Hi,

We have an ISR 3825 with the latest 12.4T running as our perimeter router.  We use sequence numbers to organize the ingress ACL.  For example, 200 to 2000 sequence numbers are to block prefixes from xxx country, 2100 to 4000 sequence numbers are for yyy country, etc.  Configuration is saved.

After I rebooted the router, I noticed that all my sequence numbers were resetted to default!  I found this documentation in CCO:

"Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is reloaded, the configured sequence numbers revert to the default sequence starting number and increment. The function is provided for backward compatibility with software releases that do not support sequence numbering."

It is hard for me to accept this answer.  Do you guys also see this issue?  Is there a way to retain your own sequence number organization after the reboot?

Thanks.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 8 months ago

kevin.hu wrote:

Hi,

We have an ISR 3825 with the latest 12.4T running as our perimeter router.  We use sequence numbers to organize the ingress ACL.  For example, 200 to 2000 sequence numbers are to block prefixes from xxx country, 2100 to 4000 sequence numbers are for yyy country, etc.  Configuration is saved.

After I rebooted the router, I noticed that all my sequence numbers were resetted to default!  I found this documentation in CCO:

"Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is reloaded, the configured sequence numbers revert to the default sequence starting number and increment. The function is provided for backward compatibility with software releases that do not support sequence numbering."

It is hard for me to accept this answer.  Do you guys also see this issue?  Is there a way to retain your own sequence number organization after the reboot?

Thanks.

Kevin

Sequence numbers are only used to allow you to insert additional lines without having to redo the whole access-list. If you want to organize your acl you should look at object-groups which your version of IOS should support. Object-groups would allow you to have groups of IPs per country and then use them in your acl -

12.4T IOS object-groups

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 03/16/2010 - 07:39

kevin.hu wrote:

Hi,

We have an ISR 3825 with the latest 12.4T running as our perimeter router.  We use sequence numbers to organize the ingress ACL.  For example, 200 to 2000 sequence numbers are to block prefixes from xxx country, 2100 to 4000 sequence numbers are for yyy country, etc.  Configuration is saved.

After I rebooted the router, I noticed that all my sequence numbers were resetted to default!  I found this documentation in CCO:

"Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is reloaded, the configured sequence numbers revert to the default sequence starting number and increment. The function is provided for backward compatibility with software releases that do not support sequence numbering."

It is hard for me to accept this answer.  Do you guys also see this issue?  Is there a way to retain your own sequence number organization after the reboot?

Thanks.

Kevin

Sequence numbers are only used to allow you to insert additional lines without having to redo the whole access-list. If you want to organize your acl you should look at object-groups which your version of IOS should support. Object-groups would allow you to have groups of IPs per country and then use them in your acl -

12.4T IOS object-groups

Jon

kevin.hu Tue, 03/16/2010 - 07:44

Thanks Jon.  It is exactly what I am looking for.

Kevin

Actions

This Discussion