I am attempting to determine how entries in a standard ACL are actually added to a router's config.
I have read that the ACL statements are entered into the config in the order that they were typed, or that they are in a descending IP order, but I have tested this and see that it is not the case.
For example, if I create the following new ACL:
SPARE6509(config)#access-list 50 permit 188.8.131.52
SPARE6509(config)#access-list 50 permit 184.108.40.206
SPARE6509(config)#access-list 50 permit 220.127.116.11
SPARE6509(config)#access-list 50 permit 18.104.22.168
SPARE6509(config)#access-list 50 permit 22.214.171.124
SPARE6509(config)#access-list 50 deny any log
SPARE6509(config)#access-list 50 permit 126.96.36.199 0.0.0.255
the order of the statements in the config are as follows, as per the show commands (they are in a different order than how they were entered - I cannot see any reason why they were added in this order):
SPARE6509#sho access-list 50
Standard IP access list 50
30 permit 188.8.131.52
40 permit 184.108.40.206
10 permit 220.127.116.11
20 permit 18.104.22.168
50 permit 22.214.171.124
60 deny any log
70 permit 126.96.36.199, wildcard bits 0.0.0.255
SPARE6509#show run (excerpt)
access-list 50 permit 188.8.131.52
access-list 50 permit 184.108.40.206
access-list 50 permit 220.127.116.11
access-list 50 permit 18.104.22.168
access-list 50 permit 22.214.171.124
access-list 50 deny any log
access-list 50 permit 126.96.36.199 0.0.0.255
This is a Catalyst 6509 w/Sup32, with IOS 12.2(18)SXF6.
Can anyone confirm how the lines of a standard ACL are added to the config?
I am sorry I did not noticed that you were using standard ACLs for host entries.
Looking more closely I found the exact bug and issue. There's no fix for it because this is expected behaviour.
CSCdu55701 standard access-list is not in order in show run
The DDTS was junked due to the reason that it has been proved that it is a normal behavior. Host-specific ACL's are hashed for optimization hence the
show command display is in a different order than configured as what we experienced.
In your config the most of the routes that you're adding are host statements. You may use extended ACLs.