Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
973
Views
0
Helpful
3
Replies

Statement order in a standard ACL

michael.martens
Level 1
Level 1

‎06-09-2009 10:35 AM - edited ‎03-04-2019 05:03 AM

I am attempting to determine how entries in a standard ACL are actually added to a router's config.

I have read that the ACL statements are entered into the config in the order that they were typed, or that they are in a descending IP order, but I have tested this and see that it is not the case.

For example, if I create the following new ACL:

SPARE6509(config)#access-list 50 permit 170.50.11.3

SPARE6509(config)#access-list 50 permit 170.50.10.7

SPARE6509(config)#access-list 50 permit 184.5.1.149

SPARE6509(config)#access-list 50 permit 184.7.17.223

SPARE6509(config)#access-list 50 permit 170.50.26.83

SPARE6509(config)#access-list 50 deny any log

SPARE6509(config)#access-list 50 permit 170.50.68.0 0.0.0.255

SPARE6509(config)#exit

the order of the statements in the config are as follows, as per the show commands (they are in a different order than how they were entered - I cannot see any reason why they were added in this order):

SPARE6509#sho access-list 50

Standard IP access list 50

30 permit 184.5.1.149

40 permit 184.7.17.223

10 permit 170.50.11.3

20 permit 170.50.10.7

50 permit 170.50.26.83

60 deny any log

70 permit 170.50.68.0, wildcard bits 0.0.0.255

SPARE6509#show run (excerpt)

access-list 50 permit 184.5.1.149

access-list 50 permit 184.7.17.223

access-list 50 permit 170.50.11.3

access-list 50 permit 170.50.10.7

access-list 50 permit 170.50.26.83

access-list 50 deny any log

access-list 50 permit 170.50.68.0 0.0.0.255

This is a Catalyst 6509 w/Sup32, with IOS 12.2(18)SXF6.

Can anyone confirm how the lines of a standard ACL are added to the config?

Thanks.

Labels:
0 Helpful
3 Replies 3

cisco_lad2004
Level 5
Level 5

‎06-09-2009 11:09 AM

Michael,

Actually there are in the order you have entered them. ACL will be processed according the seq number.

try show ip access-list 50 ?

HTH

Sam

0 Helpful

michael.martens
Level 1
Level 1
In response to cisco_lad2004

‎06-09-2009 11:49 AM

Sam,

I agree that the sequence numbers match the order of how the commands were entered.

However, is there any logic as to how the ACL is actually constructed?

As you can see from my original output, the sequence numbers do not follow what is displayed with "show run" or "show access-list 50" (which is the order in which the ACL statemnts are actually matched).

My issue is that it is difficult to determine the actual running order of ACL statements, as it appears to differ from how they were entered.

If I add new statements, how do I know where they will actually be placed in the ACL?

Regards,

Mike

0 Helpful

cisco_lad2004
Level 5
Level 5
In response to michael.martens

‎06-09-2009 12:21 PM

Agreed !

This will happen in any platform as far as I can see not just 6500.

The rule you stated is true about extended ACLs but does not apply to standard ones. for the latter descending order of IPs is used.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

HTH

Sam

PS: Well spotted, I never paid attention to this important point.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card