ACL Sequence Number Help

Answered Question
Mar 16th, 2010
User Badges:

Hi,


We have an ISR 3825 with the latest 12.4T running as our perimeter router.  We use sequence numbers to organize the ingress ACL.  For example, 200 to 2000 sequence numbers are to block prefixes from xxx country, 2100 to 4000 sequence numbers are for yyy country, etc.  Configuration is saved.


After I rebooted the router, I noticed that all my sequence numbers were resetted to default!  I found this documentation in CCO:


"Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is reloaded, the configured sequence numbers revert to the default sequence starting number and increment. The function is provided for backward compatibility with software releases that do not support sequence numbering."


It is hard for me to accept this answer.  Do you guys also see this issue?  Is there a way to retain your own sequence number organization after the reboot?


Thanks.

Correct Answer by Jon Marshall about 7 years 2 months ago

kevin.hu wrote:


Hi,


We have an ISR 3825 with the latest 12.4T running as our perimeter router.  We use sequence numbers to organize the ingress ACL.  For example, 200 to 2000 sequence numbers are to block prefixes from xxx country, 2100 to 4000 sequence numbers are for yyy country, etc.  Configuration is saved.


After I rebooted the router, I noticed that all my sequence numbers were resetted to default!  I found this documentation in CCO:


"Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is reloaded, the configured sequence numbers revert to the default sequence starting number and increment. The function is provided for backward compatibility with software releases that do not support sequence numbering."


It is hard for me to accept this answer.  Do you guys also see this issue?  Is there a way to retain your own sequence number organization after the reboot?


Thanks.


Kevin


Sequence numbers are only used to allow you to insert additional lines without having to redo the whole access-list. If you want to organize your acl you should look at object-groups which your version of IOS should support. Object-groups would allow you to have groups of IPs per country and then use them in your acl -


12.4T IOS object-groups


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 03/16/2010 - 07:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

kevin.hu wrote:


Hi,


We have an ISR 3825 with the latest 12.4T running as our perimeter router.  We use sequence numbers to organize the ingress ACL.  For example, 200 to 2000 sequence numbers are to block prefixes from xxx country, 2100 to 4000 sequence numbers are for yyy country, etc.  Configuration is saved.


After I rebooted the router, I noticed that all my sequence numbers were resetted to default!  I found this documentation in CCO:


"Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is reloaded, the configured sequence numbers revert to the default sequence starting number and increment. The function is provided for backward compatibility with software releases that do not support sequence numbering."


It is hard for me to accept this answer.  Do you guys also see this issue?  Is there a way to retain your own sequence number organization after the reboot?


Thanks.


Kevin


Sequence numbers are only used to allow you to insert additional lines without having to redo the whole access-list. If you want to organize your acl you should look at object-groups which your version of IOS should support. Object-groups would allow you to have groups of IPs per country and then use them in your acl -


12.4T IOS object-groups


Jon

kevin.hu Tue, 03/16/2010 - 07:44
User Badges:

Thanks Jon.  It is exactly what I am looking for.


Kevin

Actions

This Discussion