Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

standard ip ACL

I try to use below commands to check stardard ip ACL

R3(config)#ip access-list standard cisco123

R3(config-std-nacl)#1 permit 1.1.1.0 0.0.0.255

R3(config-std-nacl)#2 deny 2.2.2.0 0.0.0.255

R3(config-std-nacl)#3 permit any

R3(config-std-nacl)#4 deny any

R3(config-std-nacl)#5 permit host 1.1.1.1

R3(config-std-nacl)#6 deny host 2.2.2.2

R3(config-std-nacl)#7 permit 1.1.1.2

R3(config-std-nacl)#8 deny host 2.2.2.3

R3(config-std-nacl)#9 permit host 2.2.3.5

R3(config-std-nacl)#10 deny host 2.2.3.6

R3(config-std-nacl)#11 permit 3.3.3.0 0.0.0.255

But I find the order of the rules is abnormal.

R3(config-std-nacl)#do sh access-list cisco123

Standard IP access list cisco123

    5 permit 1.1.1.1

    6 deny   2.2.2.2

    8 deny   2.2.2.3

    7 permit 1.1.1.2

    10 deny   2.2.3.6

    9 permit 2.2.3.5

    1 permit 1.1.1.0, wildcard bits 0.0.0.255

    2 deny   2.2.2.0, wildcard bits 0.0.0.255

    3 permit any

    4 deny   any

    11 permit 3.3.3.0, wildcard bits 0.0.0.255

According to the output, entries defined by host have high priority than those defined by prefix/mask and any. Those entries defined by host is also disordered(5,6,8,7,10). How do ACL entries order the entries?

BTW,If no entries defined by host the order is normal in standard ip ACL.

Thanks a lot

Martin

1 REPLY
Hall of Fame Super Gold

Re: standard ip ACL

You must order the entries yourself according to the logic, and that is key for the ACL to work as intended.

I don't know why the output is re-ordered, and I would not care about, altough it's a valid question.

300
Views
0
Helpful
1
Replies
CreatePlease to create content