06-09-2009 10:35 AM - edited 03-04-2019 05:03 AM
I am attempting to determine how entries in a standard ACL are actually added to a router's config.
I have read that the ACL statements are entered into the config in the order that they were typed, or that they are in a descending IP order, but I have tested this and see that it is not the case.
For example, if I create the following new ACL:
SPARE6509(config)#access-list 50 permit 170.50.11.3
SPARE6509(config)#access-list 50 permit 170.50.10.7
SPARE6509(config)#access-list 50 permit 184.5.1.149
SPARE6509(config)#access-list 50 permit 184.7.17.223
SPARE6509(config)#access-list 50 permit 170.50.26.83
SPARE6509(config)#access-list 50 deny any log
SPARE6509(config)#access-list 50 permit 170.50.68.0 0.0.0.255
SPARE6509(config)#exit
the order of the statements in the config are as follows, as per the show commands (they are in a different order than how they were entered - I cannot see any reason why they were added in this order):
SPARE6509#sho access-list 50
Standard IP access list 50
30 permit 184.5.1.149
40 permit 184.7.17.223
10 permit 170.50.11.3
20 permit 170.50.10.7
50 permit 170.50.26.83
60 deny any log
70 permit 170.50.68.0, wildcard bits 0.0.0.255
SPARE6509#show run (excerpt)
access-list 50 permit 184.5.1.149
access-list 50 permit 184.7.17.223
access-list 50 permit 170.50.11.3
access-list 50 permit 170.50.10.7
access-list 50 permit 170.50.26.83
access-list 50 deny any log
access-list 50 permit 170.50.68.0 0.0.0.255
This is a Catalyst 6509 w/Sup32, with IOS 12.2(18)SXF6.
Can anyone confirm how the lines of a standard ACL are added to the config?
Thanks.
06-09-2009 11:09 AM
Michael,
Actually there are in the order you have entered them. ACL will be processed according the seq number.
try show ip access-list 50 ?
HTH
Sam
06-09-2009 11:49 AM
Sam,
I agree that the sequence numbers match the order of how the commands were entered.
However, is there any logic as to how the ACL is actually constructed?
As you can see from my original output, the sequence numbers do not follow what is displayed with "show run" or "show access-list 50" (which is the order in which the ACL statemnts are actually matched).
My issue is that it is difficult to determine the actual running order of ACL statements, as it appears to differ from how they were entered.
If I add new statements, how do I know where they will actually be placed in the ACL?
Regards,
Mike
06-09-2009 12:21 PM
Agreed !
This will happen in any platform as far as I can see not just 6500.
The rule you stated is true about extended ACLs but does not apply to standard ones. for the latter descending order of IPs is used.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
HTH
Sam
PS: Well spotted, I never paid attention to this important point.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide