Statement order in a standard ACL

Unanswered Question
Jun 9th, 2009
User Badges:

I am attempting to determine how entries in a standard ACL are actually added to a router's config.


I have read that the ACL statements are entered into the config in the order that they were typed, or that they are in a descending IP order, but I have tested this and see that it is not the case.


For example, if I create the following new ACL:


SPARE6509(config)#access-list 50 permit 170.50.11.3

SPARE6509(config)#access-list 50 permit 170.50.10.7

SPARE6509(config)#access-list 50 permit 184.5.1.149

SPARE6509(config)#access-list 50 permit 184.7.17.223

SPARE6509(config)#access-list 50 permit 170.50.26.83

SPARE6509(config)#access-list 50 deny any log

SPARE6509(config)#access-list 50 permit 170.50.68.0 0.0.0.255

SPARE6509(config)#exit


the order of the statements in the config are as follows, as per the show commands (they are in a different order than how they were entered - I cannot see any reason why they were added in this order):


SPARE6509#sho access-list 50

Standard IP access list 50

30 permit 184.5.1.149

40 permit 184.7.17.223

10 permit 170.50.11.3

20 permit 170.50.10.7

50 permit 170.50.26.83

60 deny any log

70 permit 170.50.68.0, wildcard bits 0.0.0.255


SPARE6509#show run (excerpt)

access-list 50 permit 184.5.1.149

access-list 50 permit 184.7.17.223

access-list 50 permit 170.50.11.3

access-list 50 permit 170.50.10.7

access-list 50 permit 170.50.26.83

access-list 50 deny any log

access-list 50 permit 170.50.68.0 0.0.0.255


This is a Catalyst 6509 w/Sup32, with IOS 12.2(18)SXF6.


Can anyone confirm how the lines of a standard ACL are added to the config?


Thanks.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco_lad2004 Tue, 06/09/2009 - 11:09
User Badges:
  • Gold, 750 points or more

Michael,


Actually there are in the order you have entered them. ACL will be processed according the seq number.


try show ip access-list 50 ?


HTH


Sam

michael.martens... Tue, 06/09/2009 - 11:49
User Badges:

Sam,


I agree that the sequence numbers match the order of how the commands were entered.


However, is there any logic as to how the ACL is actually constructed?


As you can see from my original output, the sequence numbers do not follow what is displayed with "show run" or "show access-list 50" (which is the order in which the ACL statemnts are actually matched).


My issue is that it is difficult to determine the actual running order of ACL statements, as it appears to differ from how they were entered.


If I add new statements, how do I know where they will actually be placed in the ACL?


Regards,

Mike


cisco_lad2004 Tue, 06/09/2009 - 12:21
User Badges:
  • Gold, 750 points or more

Agreed !


This will happen in any platform as far as I can see not just 6500.


The rule you stated is true about extended ACLs but does not apply to standard ones. for the latter descending order of IPs is used.


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml


HTH


Sam


PS: Well spotted, I never paid attention to this important point.

Actions

This Discussion