Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
3
Replies

Access-list confusion!!

Ahmede
Level 1
Level 1

‎02-14-2007 10:43 AM - edited ‎02-20-2020 09:38 PM

I have an access list sorted in a specific order, whn I input this access list to the router, it moves the last line and put it as the first line

Here's what I input to the router

access-list 92 permit 17.129.136.57

access-list 92 permit 10.23.2.35

access-list 92 permit 17.164.136.162

access-list 92 permit 17.131.203.131

access-list 92 permit 179.40.99.0 0.0.0.255

access-list 92 permit 10.24.13.25

and here's how the router sort it..

Standard IP access list 92

60 permit 10.24.13.25

10 permit 17.129.136.57

20 permit 10.23.2.35

30 permit 17.164.136.162

40 permit 17.131.203.131

50 permit 179.40.99.0, wildcard bits 0.0.0.255

That is not causing any problems to us, but I just need to understand why is that?

Thanks for your help..

Labels:
0 Helpful
3 Replies 3

_TDHster_
Level 1
Level 1

‎02-15-2007 12:30 AM

are you enter "no access-list 92" before all?

0 Helpful

vsurillo
Level 1
Level 1

‎02-15-2007 02:23 AM

That's really interesting!!

I'm running IOS 12.3(7)T7 and I get the exact same result when I type in the identical list...

I experimented with some additional hosts and subnets and discovered that the router seems to want to keep the hosts listed above any networks / subnets.

Here's a quick snapshot:

70 permit 2.2.2.2

60 permit 10.24.13.25

10 permit 17.129.136.57

90 permit 17.129.135.57

110 permit 10.23.2.38

20 permit 10.23.2.35

30 permit 17.164.136.162

40 permit 17.131.203.131

50 permit 179.40.99.0, wildcard bits 0.0.0.255

80 permit 2.2.1.0, wildcard bits 0.0.0.255

100 permit 10.22.8.0, wildcard bits 0.0.7.255

I'm not sure if there is a technical explanation for this, but I don't believe it is "harming" anything. As long as you pay attention to the line numbers, you'll be okay.

vrs

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to vsurillo

‎02-15-2007 07:12 AM

This has been the behavior of IOS for a very long time (I think I saw it in 10.0) and is an exception to the rule that when you add a line in an access list that the new line goes to the bottom of the list. This exception is on standard access lists and not extended access lists and it will take any new line that specifies a host (/32) match and moves it above any subnet/network match.

As far as I know it does not harm anything. But it is a bit surprising to see the different behavior.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents