02-17-2008 05:54 AM - edited 03-11-2019 05:03 AM
Anyone know why? When I perform "show access-list 12", line 30 appears before line 10, see below:
VPN_1(config)#line vty 0 4
VPN_1(config-line)#no access-class 12 in
VPN_1(config-line)#exit
VPN_1(config)#no access-list 12
VPN_1(config)#access-list 12 permit host 172.25.2.254
VPN_1(config)#access-list 12 permit host 192.168.155.205
VPN_1(config)#access-list 12 permit host 192.168.250.26
VPN_1(config)#access-list 12 permit 192.168.148.128 0.0.0.127
VPN_1(config)#access-list 12 permit 172.25.6.0 0.0.0.15
VPN_1(config)#access-list 12 permit 10.3.4.16 0.0.0.15
VPN_1(config)#access-list 12 permit 192.168.141.0 0.0.0.255
VPN_1(config)#access-list 12 deny any log
VPN_1(config)#line vty 0 4
VPN_1(config-line)#access-class 12 in
VPN_1(config-line)#
VPN_1(config-line)#
VPN_1(config-line)#
VPN_1(config-line)#^Z
VPN_1#sh access-list 12
Standard IP access list 12
30 permit 192.168.250.26
10 permit 172.25.2.254
20 permit 192.168.155.205
40 permit 192.168.148.128, wildcard bits 0.0.0.127
50 permit 172.25.6.0, wildcard bits 0.0.0.15
60 permit 10.3.4.16, wildcard bits 0.0.0.15
70 permit 192.168.141.0, wildcard bits 0.0.0.255
80 deny any log
VPN_1#sh ver
Cisco IOS Software, 7200 Software (C7200-JK9O3S-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 18:15 by prod_rel_team
ROM: System Bootstrap, Version 12.0(19991120:010612) [nlaw-conn_4xe_ECC 112], DEVELOPMENT SOFTWARE
BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(9)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
VPN_1 uptime is 1 day, 13 hours, 39 minutes
System returned to ROM by reload at 22:57:17 UTC Fri Feb 15 2008
System restarted at 23:01:07 UTC Fri Feb 15 2008
System image file is "tftp://192.168.114.101/c7200-jk9o3s-mz.124-16.bin"
Last reload reason: Reload Command
02-17-2008 09:50 AM
David
The standard IP access list has for a very long time been the exception to the rule that entries in an access list appear in the order in which they were entered. The standard IP access list will reorder entries so that any host specific entry appears before any subnet or network entry.
I have not seen it reorder host specific entries. But I guess that it is a possible effect of the reorder mechanism.
Or I wonder if there is some other possible explanation. Is it possible that in the version of access list 12 that you deleted was the 192.168.250.26 perhaps the first entry in the list? I have seen a few instances where there appears to be some persisting memory of things that were configured and then removed (the most obvious example are Frame Relay subinterfaces which still show up in show ip interface brief even after they are deleted from the config). If you remove the access list, reboot the router and then recreate the list does it still change the order? Or if you remove access list 12 and then create access list 13 (where no 13 had previously existed) does it still change the order?
HTH
Rick
02-17-2008 11:43 AM
Rick,
"If you remove the access list, reboot the router and then
recreate the list does it still change the order? Or if you
remove access list 12 and then create access list 13
(where no 13 had previously existed) does it still change the order?"
I already tried what you've suggested with the same result
even with several reboots. I get the same result with IOS version
12.3 as well.
David
02-17-2008 12:12 PM
interesting! I played a bit whith Davi's acl on a 3640 router running code 12.3 for sake of seeing how ios compliles acl in this particular example and it turns out if 172.25.2.254 is placed between 192.168.155.205 and 26 the order is seen proper..I could not still decipher why would the acl needed to be in this order to get proper acl order output, if I enter the acl in the order original implemented I would get a different output in the acl order.
e.g
rtr-3640(config)#access-list 12 permit host 192.168.155.205
rtr-3640(config)#access-list 12 permit host 172.25.2.254
rtr-3640(config)#access-list 12 permit host 192.168.250.26
rtr-3640(config)#access-list 12 permit 192.168.148.128 0.0.0.127
rtr-3640(config)#access-list 12 permit 172.25.6.0 0.0.0.15
rtr-3640(config)#access-list 12 permit 10.3.4.16 0.0.0.15
rtr-3640(config)#access-list 12 permit 192.168.141.0 0.0.0.255
rtr-3640(config)#access-list 12 deny any log
rtr-3640(config)#exit
rtr-3640#show access-lists 12
Standard IP access list 12
10 permit 192.168.155.205
20 permit 172.25.2.254
30 permit 192.168.250.26
40 permit 192.168.148.128, wildcard bits 0.0.0.127
50 permit 172.25.6.0, wildcard bits 0.0.0.15
60 permit 10.3.4.16, wildcard bits 0.0.0.15
70 permit 192.168.141.0, wildcard bits 0.0.0.255
80 deny any log
Other example
rtr-3640(config)#no access-list 12
rtr-3640(config)#access-list 12 permit host 172.25.2.254
rtr-3640(config)#access-list 12 permit host 192.168.155.205
rtr-3640(config)#access-list 12 permit host 192.168.250.26
rtr-3640(config)#access-list 12 permit 192.168.148.128 0.0.0.127
rtr-3640(config)#access-list 12 permit 172.25.6.0 0.0.0.15
rtr-3640(config)#access-list 12 permit 10.3.4.16 0.0.0.15
rtr-3640(config)#access-list 12 permit 192.168.141.0 0.0.0.255
rtr-3640(config)#access-list 12 deny any log
rtr-3640(config)#
rtr-3640(config)#exit
rtr-3640#show access-lists 12
Standard IP access list 12
20 permit 192.168.155.205
10 permit 172.25.2.254
30 permit 192.168.250.26
40 permit 192.168.148.128, wildcard bits 0.0.0.127
50 permit 172.25.6.0, wildcard bits 0.0.0.15
60 permit 10.3.4.16, wildcard bits 0.0.0.15
70 permit 192.168.141.0, wildcard bits 0.0.0.255
80 deny any log
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-JK9O3S-M), Version 12.3(25), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 28-Jan-08 20:44 by alnguyen
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: