Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

access list order of operation

Hello,

If I have the access lists configuration mention below.  As far the order of operation the router will start top to down until it finds a match.  However, let say it permits 10.87.21.155 will it stop there if it finds matches that IP address or will it apply the rest of the IP addresses and do next access lists such as 10.87.6.0. What does it mean by match in regards to acces list.  Also it says "permit any" if that command is there what is the point of having the commands before or is there a need for those access list before.  Can anyone explain how access list with the matching and permit any statements works?

access-list 10 permit 10.87.21.155

access-list 10 permit 10.87.6.0 0.0.0.255

access-list 10 permit 10.85.3.0 0.0.0.255

access-list 10 permit 10.85.134.0 0.0.0.255

access-list 10 permit any

access-list 10 permit 10.83.17.155
access-list 10 permit 10.83.6.0 0.0.0.255

access-list 10 permit 10.83.2.0 0.0.0.255
access-list 10 permit 10.83.134.0 0.0.0.255
access-list 10 permit any

4 REPLIES
Hall of Fame Super Blue

Re: access list order of operation

Horacio

An acl is processed from top to  bottom. As soon as a line is found that matches the acl processing stops. It doesn't matter if there are entries further down that would also match because it never gets to those entries.

In terms of the acl above anything after the 5th line ie. "permit any" will never be matched because that line matches everything.

Jon

Green

access list order of operation

Horacio,

In a "standard" acess list like access-list 10

as soon as the source ip address is matched the packet is either permitted and hence forwarded or  denied and dropped dependinding on what the list says.

At the end of every access list there is a deny any.

If you do not want this then you can set permit any.

It is good practise to match traffic as near to the top of the list as possible as you are wasting cpu time

by searching through very long lists.

This link will help you:-

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.
New Member

access list order of operation

Why would the fifth line "access-list 10 permit any" be even use in this configuration?

Green

access list order of operation

Horacio,

Look at what the list is saying.

permit a

permit b

permit c

permit d

permit any

So what is the point of the list al all.

permit any is going to pass all traffic so in affect the list is pointless.

you would use something like this but in reverse.

deny a

deny b

deny c

deny d

permit any

so a,b,c,d would be dropped but everything else will be forwarded.

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.
110
Views
0
Helpful
4
Replies