Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7689
Views
1
Helpful
4
Replies

access list order of operation

Horacio Gutierrez
Level 2
Level 2

‎02-24-2014 03:09 PM - edited ‎03-10-2019 12:26 PM

Hello,

If I have the access lists configuration mention below.  As far the order of operation the router will start top to down until it finds a match.  However, let say it permits 10.87.21.155 will it stop there if it finds matches that IP address or will it apply the rest of the IP addresses and do next access lists such as 10.87.6.0. What does it mean by match in regards to acces list.  Also it says "permit any" if that command is there what is the point of having the commands before or is there a need for those access list before.  Can anyone explain how access list with the matching and permit any statements works?

access-list 10 permit 10.87.21.155

access-list 10 permit 10.87.6.0 0.0.0.255

access-list 10 permit 10.85.3.0 0.0.0.255

access-list 10 permit 10.85.134.0 0.0.0.255

access-list 10 permit any

access-list 10 permit 10.83.17.155
access-list 10 permit 10.83.6.0 0.0.0.255

access-list 10 permit 10.83.2.0 0.0.0.255
access-list 10 permit 10.83.134.0 0.0.0.255
access-list 10 permit any

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎02-24-2014 03:15 PM

Horacio

An acl is processed from top to  bottom. As soon as a line is found that matches the acl processing stops. It doesn't matter if there are entries further down that would also match because it never gets to those entries.

In terms of the acl above anything after the 5th line ie. "permit any" will never be matched because that line matches everything.

Jon

0 Helpful

acampbell
VIP Alumni
VIP Alumni

‎02-24-2014 03:21 PM

Horacio,

In a "standard" acess list like access-list 10

as soon as the source ip address is matched the packet is either permitted and hence forwarded or  denied and dropped dependinding on what the list says.

At the end of every access list there is a deny any.

If you do not want this then you can set permit any.

It is good practise to match traffic as near to the top of the list as possible as you are wasting cpu time

by searching through very long lists.

This link will help you:-

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

Horacio Gutierrez
Level 2
Level 2
In response to acampbell

‎02-24-2014 03:38 PM

Why would the fifth line "access-list 10 permit any" be even use in this configuration?

0 Helpful

acampbell
VIP Alumni
VIP Alumni
In response to Horacio Gutierrez

‎02-24-2014 03:44 PM

Horacio,

Look at what the list is saying.

permit a

permit b

permit c

permit d

permit any

So what is the point of the list al all.

permit any is going to pass all traffic so in affect the list is pointless.

you would use something like this but in reverse.

deny a

deny b

deny c

deny d

permit any

so a,b,c,d would be dropped but everything else will be forwarded.

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card