ACL ordering issue.

Unanswered Question
Aug 21st, 2007

Has anybody seen an issue such as below with ACL ordering?

I had the following ACL configured:

ip access-list extended QPM_WindowsSMB

permit tcp any eq 445 any

permit tcp any any eq 445

I noticed I wasn't getting any hits on the second line.

I changed the order of the first 2 elements and I started to get hits on both.

BTW, I upgraded the router IOS to 12.4(15)T1 on the weekend. Could this be a bug with this new software?

Cheers, SteveK.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
royalblues Tue, 08/21/2007 - 13:49

None that i know of

It basically depends upon the traffic flow

As per the posted list, the first statement is trying to match the trafffic that has a source port of 445 and destination any

The second entry is doing the reverse.

Narayan

jwdoherty Tue, 08/21/2007 - 16:16

Another possibility is that any TCP traffic with a destination of port 445 always has a source port of 445. Assuming you didn't see this on your prior IOS, one would tend to suspect the new code.

You could turn on/off flow cache, and/or on/off compiled ACLs (if supported on your platform), and/or try a number access list and see if there's a change in behavior.

Actions

This Discussion