pix(config)# sh access-list id_test

access-list id_test; 5 elements

access-list id_test line 1 permit gre any host 1.1.1.1 (hitcnt=0)

access-list id_test line 2 permit gre any host 2.2.2.2 (hitcnt=0)

access-list id_test line 3 permit gre any host 3.3.3.3 (hitcnt=0)

access-list id_test line 4 permit gre any host 4.4.4.4 (hitcnt=0)

access-list id_test line 5 permit gre any host 5.5.5.5 (hitcnt=0)

pix(config)# access-list id_test line 2 remark hello

pix(config)# sh access-list id_test

access-list id_test; 5 elements

access-list id_test line 1 permit gre any host 1.1.1.1 (hitcnt=0)

access-list id_test line 2 remark hello

access-list id_test line 3 permit gre any host 2.2.2.2 (hitcnt=0)

access-list id_test line 4 permit gre any host 3.3.3.3 (hitcnt=0)

access-list id_test line 5 permit gre any host 4.4.4.4 (hitcnt=0)

access-list id_test line 6 permit gre any host 5.5.5.5 (hitcnt=0)

pix(config)# access-list id_test line 1 permit icmp any host 1.1.1.1

pix(config)# sh access-list id_test

access-list id_test; 6 elements

access-list id_test line 1 permit icmp any host 1.1.1.1 (hitcnt=0)

access-list id_test line 2 permit gre any host 1.1.1.1 (hitcnt=0)

access-list id_test line 3 remark hello

access-list id_test line 4 permit gre any host 2.2.2.2 (hitcnt=0)

access-list id_test line 5 permit gre any host 3.3.3.3 (hitcnt=0)

access-list id_test line 6 permit gre any host 4.4.4.4 (hitcnt=0)

access-list id_test line 7 permit gre any host 5.5.5.5 (hitcnt=0)

TRIS-NOC-FW1(config)#

the golden rule of acl is that it works in order, from top to the bottom. with line number, you can specifically insert the new acl entry or remark wherever you prefer.

e.g. imagine you've got a 200-entry acl, and now you want to permit a host before other deny entries. of course you don't want to interupt the network by un-apply and re-apply the entire acl. in this case, line number saves the life.