Quick ACL Question

Unanswered Question
Aug 27th, 2007
User Badges:

This may seem like a really simple question, but I couldn't find an answer for it.


When you add an entry to an ACL, it goes to the bottom of the list, simple enough.


However, when you put a permit ip any any in case of the extended list and add a line, I take it that line would go below the permit ip any any?


Is this why it is recommended to copy the list to a text editor, redo it there and then re-integrate it back into the router?


If anyone replies, thanks for the answer, it has been bugging the heck out of me.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mheusing Tue, 08/28/2007 - 04:47
User Badges:
  • Cisco Employee,

Hi,


Basically your understanding is right. Unless you have sequence numbered ACLs, lines will go to the bottom. If this means below a "permit ip any any" then those statements would never be matched. Thus it was recommended to edit an ACL external to the router remove all references to the ACL, remove the ACL, apply the edited ACL and add all references to the ACL again.

It should be noted however that today we have sequence numbering for ACL entries, which greatly remove all earlier restrictions. So today you can delete single lines or insert lines into an existing ACL. For technical details, please have a look f.e. at "IP Access List Entry Sequence Numbering"

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008043105e.html


So in brief: Unless you have a sequenced ACL your understanding is right. With sequenced ACLs you get more flexibility because of the enhanced editability.


Hope this helps! Please rate all posts.


Regards, Martin


xzoren9999 Tue, 08/28/2007 - 08:15
User Badges:

Thanks for the clarification. I think I was just confused a little since the permit ip any any countermands the explicit deny and couldn't find anywhere that strictly states that the permit ip any any is still a line entry and therefore any additions to that ACL will definately go below the permit ip any any.



Actions

This Discussion