This is in the config of the switch:

access-list 10 permit 1.1.1.1 0.0.0.0
access-list 10 deny any log

And this is what I want:

access-list 10 permit 1.1.1.1 0.0.0.0

access-list 10 permit 2.2.2.2 0.0.0.0

access-list 10 deny any log

The basic template looks like this with ordered set selected in global config mode:

+ access-list 10 permit 1.1.1.1 0.0.0.0

+ access-list 10 permit 2.2.2.2 0.0.0.0

+ access-list 10 deny any log

And this is what happends:

access-list 10 permit 1.1.1.1 0.0.0.0
access-list 10 deny any log

access-list 10 permit 1.1.1.1 0.0.0.0

access-list 10 permit 2.2.2.2 0.0.0.0

access-list 10 deny any log

I was able to get this template to work.  I created it for the Switches & Hubs group, and tested a 3560 with your config.  This is how I expect things to work.

Hello Joe,

Thanks for the effort.

I tested this also on a 3560 switch, in this way:

I imported your template, modified the ACL in the template to the real deal, selected one 3560 switch and ran a compliance job with the deploy option selected.

What happend next was unreal, it almost took out the complete switch config (see below)..

I deleted the sensitive stuff from the report, but you should get the picture.

What could have caused this, your template was very simple?

Page 1

Baseline Compliance Report

Generated on Aug 30 2010 14:09:02

Summary

Template Name ACLOrderTest1

Number of Compliant device(s) 0

Number of Non-Compliant device(s) 1

Number of Excluded device(s) 1

Compliance Details

Compliant Devices

Device Name Latest Version Created On

No records.

Non-Compliant Devices

Device Name Latest Version Created On Command(s) to Deploy

switch3560 41 Aug 24 2010 15:03:24

-ip sla enable reaction-alert

-logging trap notifications

-logging **********************************************

-logging **********************************************

-logging **********************************************

-logging **********************************************

-access-list 1 remark **********************************************

-access-list 1 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 deny any log

-access-list 19 permit **********************************************

-access-list 19 permit **********************************************

-access-list 19 permit **********************************************

-access-list 19 permit **********************************************

-access-list 19 permit **********************************************

-access-list 19 permit **********************************************

-access-list 19 deny ip any any log

-snmp-server community ******** **********************************************

-snmp-server community ******** **********************************************

-snmp-server location **********************************************

-snmp-server system-shutdown

-snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

-snmp-server enable traps tty

-snmp-server enable traps cluster

-snmp-server enable traps entity

-snmp-server enable traps cpu threshold

-snmp-server enable traps vtp

-snmp-server enable traps vlancreate

-snmp-server enable traps vlandelete

-snmp-server enable traps flash insertion removal

-snmp-server enable traps port-security

-snmp-server enable traps envmon fan shutdown supply temperature status

-snmp-server enable traps config-copy

-snmp-server enable traps config

-snmp-server enable traps hsrp

-snmp-server enable traps bridge newroot topologychange

-snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency

-snmp-server enable traps syslog

-snmp-server enable traps mac-notification change move threshold

-snmp-server enable traps vlan-membership

-snmp-server host **********************************************

-snmp-server host **********************************************

-tacacs-server host *********************************************

-tacacs-server timeout 3

-tacacs-server directed-request

-tacacs-server key ******** **********************************************

+access-list 19 permit **********************************************

+access-list 19 permit **********************************************

+access-list 19 permit **********************************************

+access-list 19 permit **********************************************

+access-list 19 permit **********************************************

+access-list 19 permit **********************************************

+access-list 19 deny ip any any log

Page 2

Excluded Devices

Device Name Reason for Exclusion

switch3560 Device config not compliantCM0108 Deploy Baseline comparison result to PRIMARY Running config on

device successful (Primary Login Succeeded

/ Primary Enable Succeeded

)

CM0056 Config fetch failed for switch3560 Cause: SSH: Failed to establish SSH connection to **********************************************

-

Cause: Authentication failed on device 3 times.

PRIMARY-RUNNING config Fetch Operation failed for TFTP.

TELNET: Failed to establish TELNET connection to **********************************************-

Cause: connect timed out.

Action: Check if protocol is supported by device and required device package is installed.

Why am I not surprised!

Thanks for the info Joe