Control your access control lists better with line numbers

Order is crucial in access control lists. Access control entries (ACEs) only affect privileges that haven't been explicitly granted or denied. This increases efficiency by preventing the full list from having to be read unnecessarily. However, it can cause headaches when you need to revise the list.

Fortunately, there's a line number feature which allows you to insert a new ACE into the proper place without having to completely remove and reapply the access control list. When you specify the line number for a new ACE, the line numbers for all existing ACEs with that number or greater are incremented upward by 1 (e.g., shifted further down the list). 

To specify the line number, simply put "line" and the desired number after the ID for the access list, as in this example: 
access-list access_in line 1 extended deny tcp any host 192.168.1.0 eq www

Notice that the same syntax is displayed when you issue the "show access-list" command, indicating the actual line numbers for each ACE, whether or not you specified line numbers originally.