Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACL ordering issue.

Has anybody seen an issue such as below with ACL ordering?

I had the following ACL configured:

ip access-list extended QPM_WindowsSMB

permit tcp any eq 445 any

permit tcp any any eq 445

I noticed I wasn't getting any hits on the second line.

I changed the order of the first 2 elements and I started to get hits on both.

BTW, I upgraded the router IOS to 12.4(15)T1 on the weekend. Could this be a bug with this new software?

Cheers, SteveK.


Re: ACL ordering issue.

None that i know of

It basically depends upon the traffic flow

As per the posted list, the first statement is trying to match the trafffic that has a source port of 445 and destination any

The second entry is doing the reverse.


Community Member

Re: ACL ordering issue.

Another possibility is that any TCP traffic with a destination of port 445 always has a source port of 445. Assuming you didn't see this on your prior IOS, one would tend to suspect the new code.

You could turn on/off flow cache, and/or on/off compiled ACLs (if supported on your platform), and/or try a number access list and see if there's a change in behavior.

CreatePlease to create content