Access-lists (Access Control List) ACL order of operation/priority?

Unanswered Question
Apr 1st, 2010

I suppose this question could've gone in just about any area since it's dealing with an object/entity that almost invariably exists in all IOS configurations, but I figured here is the most likely place.

1) What is the order of operation and priority used for the software's evaluation of an ACL?

a) top down or best match?  I believe that part is easy.  b) However what is a better match?  an IP address or a port?  Obviously a whole socket would be better than either.  And I'd prefer to know the entire order of operation and precedence used for ACLs if possible.

there are more IPs than ports in the subsets, so I could infer that ports would be more specific, but I'm unsure and since I've crossed a point where I've forgotten more than I know (presented with more than twice as much knowledge as I can retain) I don't remember way back to my first Cisco class in the 90's which is where I was probably presented with the answer.

So my core question: what results in a hit given an ACL where both exist without additional factors; port or IP?  Does the order matter?

Thanks in advance,

->N

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
neharris Thu, 04/01/2010 - 09:47

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#topic1

Process ACLs

Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked. These two ACLs (101 and 102) have the same effect.

does thism mean that it's whichever comes first?

neharris Thu, 04/01/2010 - 10:33

Let me further clarify:

If using a set of ACLs for class-map matching, in what order are they evalulated?  This came about initially because the IOS appears to rearrange the named ACLs alphabetically, and I entered the named ACLs in the order I wanted the hits to happen top down.

So if the ACLs are included in class-maps, what is the order of operation/priority for them?

thank you

ganeshh.iyer Thu, 04/01/2010 - 11:30

I suppose this question could've gone in just about any area since it's dealing with an object/entity that almost invariably exists in all IOS configurations, but I figured here is the most likely place.

1) What is the order of operation and priority used for the software's evaluation of an ACL?

a) top down or best match?  I believe that part is easy.  b) However what is a better match?  an IP address or a port?  Obviously a whole socket would be better than either.  And I'd prefer to know the entire order of operation and precedence used for ACLs if possible.

there are more IPs than ports in the subsets, so I could infer that ports would be more specific, but I'm unsure and since I've crossed a point where I've forgotten more than I know (presented with more than twice as much knowledge as I can retain) I don't remember way back to my first Cisco class in the 90's which is where I was probably presented with the answer.

So my core question: what results in a hit given an ACL where both exist without additional factors; port or IP?  Does the order matter?

Thanks in advance,

->N

Hi,

ACL are prossesed in TOP DOWN process in routers or switches,This means that when a condition in the ACL is met, all processing is stopped. Thus, if there is a permit for network 18.18.18.0 in the fifth line of the ACL but it is denied in the third line of the ACL, then that traffic is denied.

All the complete statement needs to be matched in oreder to permit or deny an ACL,if it is port or ip.

Hope to Help !!

Ganesh.H

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

ganeshh.iyer Thu, 04/01/2010 - 11:32

I suppose this question could've gone in just about any area since it's dealing with an object/entity that almost invariably exists in all IOS configurations, but I figured here is the most likely place.

1) What is the order of operation and priority used for the software's evaluation of an ACL?

a) top down or best match?  I believe that part is easy.  b) However what is a better match?  an IP address or a port?  Obviously a whole socket would be better than either.  And I'd prefer to know the entire order of operation and precedence used for ACLs if possible.

there are more IPs than ports in the subsets, so I could infer that ports would be more specific, but I'm unsure and since I've crossed a point where I've forgotten more than I know (presented with more than twice as much knowledge as I can retain) I don't remember way back to my first Cisco class in the 90's which is where I was probably presented with the answer.

So my core question: what results in a hit given an ACL where both exist without additional factors; port or IP?  Does the order matter?

Thanks in advance,

->N

Hi,

ACL are prossesed in TOP DOWN process in routers or switches,This means that when a condition in the ACL is met, all processing is stopped. Thus, if there is a permit for network 18.18.18.0 in the fifth line of the ACL but it is denied in the third line of the ACL, then that traffic is denied.

All the complete statement needs to be matched in oreder to permit or deny an ACL,if it is port or ip.

Hope to Help !!

Ganesh.H

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

neharris Thu, 04/01/2010 - 11:46

Thank you

Yes I am using extended named access lists. 

But I supposed what you are inferring is that I must name them alphabettically in order to have them processed as I wish, since regardless of how they are entered into the CLI, it will rearranged them according to the pre-defined sort order for the character set.  True?

Jennifer Halim Fri, 04/02/2010 - 01:03

Access-list order of operation is from TOP to BOTTOM, and your access-list needs to be applied somewhere. You can't just configure access-list without applying the access-list anywhere.

For example:

- If you would like to allow HTTP and SMTP traffic towards 200.1.1.1, and allow DNS towards 200.1.1.2, you will configure something like this:

access-list 101 permit tcp any host 200.1.1.1 eq 80

access-list 101 permit tcp any host 200.1.1.1 eq 25

access-list 101 permit udp any host 200.1.1.2 eq 53

Then apply access-list 101 on an interface. For example, your outside interface is Dialer0, you will need to apply it:

interface Dialer0

    ip access-group 101 in

So if there is inbound SMTP traffic towards 200.1.1.2, it will go through access-list 101 from TOP to BOTTOM:

- First it will check the first line --> access-list 101 permit tcp any host 200.1.1.1 eq 80 --> not matching, so it will go down the next line

- Next line is "access-list 101 permit tcp any host 200.1.1.1 eq 25" and the action is "permit" so it will allow the traffic through, and the access-list check stops there (as it matches).

For example, if there is inbound FTP (TCP/21) traffic, it will go through the same process:

- First it will check the first line --> not matching, so it will go down the next line.

- Second line is also not matching --> so it will go down the next line.

- Third line is also not matching --> packet will be denied, as there is an implicit deny at the very bottom of the access-list.

Hope that helps.

Actions

Login or Register to take actions

This Discussion

Posted April 1, 2010 at 9:45 AM
Stats:
Replies:7 Avg. Rating:5
Views:6229 Votes:0
Shares:0

Related Content

Discussions Leaderboard