Hi Rick,

Yes they are standard ACLs (for VTY access), I've built them with host specific at the top, with a remark above each one to identify which team member the ip belongs to. At the bottom I've put the network or more general entries. It does keep them seperated (hosts at top, networks at the bottom), but it does reorder the hosts.

Thanks,

Steve

The following shows what I put in and what I get back with show run or show access-lists 5

What I put in:

ip access-list standard 5

remark ACL for VTY access

remark Network Engineers

permit a.b.c.81

permit a.b.c.130

permit a.b.c.173

permit a.b.c.183

permit a.b.c.201

permit a.b.c.202

permit a.b.c.205

permit a.b.c.206

permit a.b.c.207

permit a.b.c.208

permit a.b.c.209

remark VPN Connection

permit 10.8.11.2

permit 10.8.11.3

permit 10.8.11.4

permit 10.8.11.5

permit 10.8.11.6

remark Network Management Systems

permit 10.8.100.0 0.0.0.255

access-list 5 remark Allow all net devices to connect to all net devices

permit 0.0.0.252 255.255.255.0

permit 0.0.0.253 255.255.255.0

permit 0.0.0.254 255.255.255.0

permit 192.168.51.0 0.0.0.255

permit 192.168.52.0 0.0.0.255

permit 10.8.1.0 0.0.0.255

permit 10.16.1.0 0.0.0.255

permit 10.24.1.0 0.0.0.255

permit 10.32.1.0 0.0.0.255

permit 10.40.1.0 0.0.0.255

permit 10.48.1.0 0.0.0.255

permit 10.56.1.0 0.0.0.255

permit 10.72.1.0 0.0.0.255

permit 10.80.1.0 0.0.0.255

deny any log

What I get with show run or show ip access-list 5

access-list 5 permit a.b.c.208

access-list 5 permit a.b.c.209

access-list 5 permit 10.8.11.3

access-list 5 remark VPN Connection

access-list 5 permit 10.8.11.2

access-list 5 permit 10.8.11.5

access-list 5 permit 10.8.11.4

access-list 5 permit 10.8.11.6

access-list 5 permit a.b.c.201

access-list 5 permit a.b.c.202

access-list 5 permit a.b.c.205

access-list 5 permit a.b.c.206

access-list 5 permit a.b.c.207

access-list 5 permit a.b.c.130

access-list 5 permit a.b.c.183

access-list 5 permit a.b.c.173

access-list 5 remark ACL for VTY access

access-list 5 remark Network Engineers

access-list 5 permit a.b.c.81

access-list 5 remark Network Management Systems

access-list 5 permit 10.8.100.0 0.0.0.255

access-list 5 remark Allow all net devices to connect to all net devices

access-list 5 permit 0.0.0.252 255.255.255.0

access-list 5 permit 0.0.0.253 255.255.255.0

access-list 5 permit 0.0.0.254 255.255.255.0

access-list 5 permit 192.168.51.0 0.0.0.255

access-list 5 permit 192.168.52.0 0.0.0.255

access-list 5 permit 10.8.1.0 0.0.0.255

access-list 5 permit 10.16.1.0 0.0.0.255

access-list 5 permit 10.24.1.0 0.0.0.255

access-list 5 permit 10.32.1.0 0.0.0.255

access-list 5 permit 10.40.1.0 0.0.0.255

access-list 5 permit 10.48.1.0 0.0.0.255

access-list 5 permit 10.56.1.0 0.0.0.255

access-list 5 permit 10.72.1.0 0.0.0.255

access-list 5 permit 10.80.1.0 0.0.0.255

access-list 5 deny any log

Steve

Other than the reordering to put host entries before more general entries I have not been aware that Cisco did other reordering (and believe that in most of my experience standard lists generally follow the rule of listing in the order entered). Clearly that is not happening with your list. And I have no explanation for it. Perhaps some of the Cisco folk can help us understand what is happening.

HTH

Rick

why?

I am getting the same behavior on a 2611 router with 12.1(27). Remark statements are getting moved around which makes them useless. Also, I have noticed that IOS seems to want similarly numbered host addresses listed with in descending order.