topic ACL not appearing in order in Network Security

ACL not appearing in order

cisco24x7 — Mon, 11 Mar 2019 12:03:46 GMT

Anyone know why? When I perform "show access-list 12", line 30 appears before line 10, see below:

VPN_1(config)#line vty 0 4

VPN_1(config-line)#no access-class 12 in

VPN_1(config-line)#exit

VPN_1(config)#no access-list 12

VPN_1(config)#access-list 12 permit host 172.25.2.254

VPN_1(config)#access-list 12 permit host 192.168.155.205

VPN_1(config)#access-list 12 permit host 192.168.250.26

VPN_1(config)#access-list 12 permit 192.168.148.128 0.0.0.127

VPN_1(config)#access-list 12 permit 172.25.6.0 0.0.0.15

VPN_1(config)#access-list 12 permit 10.3.4.16 0.0.0.15

VPN_1(config)#access-list 12 permit 192.168.141.0 0.0.0.255

VPN_1(config)#access-list 12 deny any log

VPN_1(config)#line vty 0 4

VPN_1(config-line)#access-class 12 in

VPN_1(config-line)#

VPN_1(config-line)#^Z

VPN_1#sh access-list 12

Standard IP access list 12

30 permit 192.168.250.26

10 permit 172.25.2.254

20 permit 192.168.155.205

40 permit 192.168.148.128, wildcard bits 0.0.0.127

50 permit 172.25.6.0, wildcard bits 0.0.0.15

60 permit 10.3.4.16, wildcard bits 0.0.0.15

70 permit 192.168.141.0, wildcard bits 0.0.0.255

80 deny any log

VPN_1#sh ver

Cisco IOS Software, 7200 Software (C7200-JK9O3S-M), Version 12.4(16), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 20-Jun-07 18:15 by prod_rel_team

ROM: System Bootstrap, Version 12.0(19991120:010612) [nlaw-conn_4xe_ECC 112], DEVELOPMENT SOFTWARE

BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(9)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

VPN_1 uptime is 1 day, 13 hours, 39 minutes

System returned to ROM by reload at 22:57:17 UTC Fri Feb 15 2008

System restarted at 23:01:07 UTC Fri Feb 15 2008

System image file is "tftp://192.168.114.101/c7200-jk9o3s-mz.124-16.bin"

Last reload reason: Reload Command

Re: ACL not appearing in order

Richard Burts — Sun, 17 Feb 2008 17:50:46 GMT

David

The standard IP access list has for a very long time been the exception to the rule that entries in an access list appear in the order in which they were entered. The standard IP access list will reorder entries so that any host specific entry appears before any subnet or network entry.

I have not seen it reorder host specific entries. But I guess that it is a possible effect of the reorder mechanism.

Or I wonder if there is some other possible explanation. Is it possible that in the version of access list 12 that you deleted was the 192.168.250.26 perhaps the first entry in the list? I have seen a few instances where there appears to be some persisting memory of things that were configured and then removed (the most obvious example are Frame Relay subinterfaces which still show up in show ip interface brief even after they are deleted from the config). If you remove the access list, reboot the router and then recreate the list does it still change the order? Or if you remove access list 12 and then create access list 13 (where no 13 had previously existed) does it still change the order?

HTH

Rick

Re: ACL not appearing in order

cisco24x7 — Sun, 17 Feb 2008 19:43:34 GMT

Rick,

"If you remove the access list, reboot the router and then

recreate the list does it still change the order? Or if you

remove access list 12 and then create access list 13

(where no 13 had previously existed) does it still change the order?"

I already tried what you've suggested with the same result

even with several reboots. I get the same result with IOS version

12.3 as well.

David

Re: ACL not appearing in order

JORGE RODRIGUEZ — Sun, 17 Feb 2008 20:12:20 GMT

interesting! I played a bit whith Davi's acl on a 3640 router running code 12.3 for sake of seeing how ios compliles acl in this particular example and it turns out if 172.25.2.254 is placed between 192.168.155.205 and 26 the order is seen proper..I could not still decipher why would the acl needed to be in this order to get proper acl order output, if I enter the acl in the order original implemented I would get a different output in the acl order.

e.g

rtr-3640(config)#access-list 12 permit host 192.168.155.205

rtr-3640(config)#access-list 12 permit host 172.25.2.254

rtr-3640(config)#access-list 12 permit host 192.168.250.26

rtr-3640(config)#access-list 12 permit 192.168.148.128 0.0.0.127

rtr-3640(config)#access-list 12 permit 172.25.6.0 0.0.0.15

rtr-3640(config)#access-list 12 permit 10.3.4.16 0.0.0.15

rtr-3640(config)#access-list 12 permit 192.168.141.0 0.0.0.255

rtr-3640(config)#access-list 12 deny any log

rtr-3640(config)#exit

rtr-3640#show access-lists 12

Standard IP access list 12

10 permit 192.168.155.205

20 permit 172.25.2.254

30 permit 192.168.250.26

40 permit 192.168.148.128, wildcard bits 0.0.0.127

50 permit 172.25.6.0, wildcard bits 0.0.0.15

60 permit 10.3.4.16, wildcard bits 0.0.0.15

70 permit 192.168.141.0, wildcard bits 0.0.0.255

80 deny any log

Other example

rtr-3640(config)#no access-list 12

rtr-3640(config)#access-list 12 permit host 172.25.2.254

rtr-3640(config)#access-list 12 permit host 192.168.155.205

rtr-3640(config)#access-list 12 permit host 192.168.250.26

rtr-3640(config)#access-list 12 permit 192.168.148.128 0.0.0.127

rtr-3640(config)#access-list 12 permit 172.25.6.0 0.0.0.15

rtr-3640(config)#access-list 12 permit 10.3.4.16 0.0.0.15

rtr-3640(config)#access-list 12 permit 192.168.141.0 0.0.0.255

rtr-3640(config)#access-list 12 deny any log

rtr-3640(config)#

rtr-3640(config)#exit

rtr-3640#show access-lists 12

Standard IP access list 12

20 permit 192.168.155.205

10 permit 172.25.2.254

30 permit 192.168.250.26

40 permit 192.168.148.128, wildcard bits 0.0.0.127

50 permit 172.25.6.0, wildcard bits 0.0.0.15

60 permit 10.3.4.16, wildcard bits 0.0.0.15

70 permit 192.168.141.0, wildcard bits 0.0.0.255

80 deny any log

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-JK9O3S-M), Version 12.3(25), RELEASE SOFTWARE (fc1)

Compiled Mon 28-Jan-08 20:44 by alnguyen