cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
507
Views
0
Helpful
1
Replies

ACL line order issues

JGwade31701
Level 1
Level 1

I am experiencing issues when modifying ACL's. Example below:

router#conf t

router(config)#ip access-list standard 75

router(config-std-nacl)#permit 10.31.40.54

router(config-std-nacl)#permit 10.31.181.138

router(config-std-nacl)#end

When these commands are issued this is what is displayed when I run router#sh access-lists 75

Standard IP access list 75
    10 permit 10.31.40.54
    20 permit 10.31.181.138

And when I run router#sh run | in access-list 75 this is what's displayed.

access-list 75 permit 10.31.40.54
access-list 75 permit 10.31.181.138

All of which are correct.

However when I remove the two permit statements and change the second octet of each statement to 32 or anything greater than that the larger IP address always switches itself to the top and I can't make it revert back to the bottom. Example as follows:

router#conf t

router(config)#ip access-list standard 75

router(config-std-nacl)#permit 10.32.40.54

router(config-std-nacl)#permit 10.32.181.138

router(config-std-nacl)#end

When these commands are issued this is what is displayed when I run router#sh access-lists 75

Standard IP access list 75
    20 permit 10.32.181.138
    10 permit 10.32.40.54

And when I run router#sh run | in access-list 75 this is what's displayed.

access-list 75 permit 10.31.181.138
access-list 75 permit 10.31.40.54

This is not to order I want it to be displayed in.

Can anyone explain why this is happening and how do I correct it.

V/r

Greg Wade

1 Reply 1

Mark Malone
VIP Alumni
VIP Alumni

I cant exactly explain why Cisco have it set like that higher ip gets chosen in a lot of automatic features in rules but you could try use ACL re-sequencing to try and avoid the automatic placement when using ip access-list syntax

http://www.cisco.com/c/en/us/td/docs/ios/12_2s/feature/guide/fsaclseq.html#wp1042954

IP Access List Entry Sequence Numbering

Benefits

The ability to apply sequence numbers to IP access list entries simplifies access list changes. Prior to the IP Access List Entry Sequence Numbering feature, there was no way to specify the position of an entry within an access list. If a user wanted to insert an entry (statement) in the middle of an existing list, all of the entries after the desired position had to be removed, then the new entry was added, and then all the removed entries had to be reentered. This method was cumbersome and error prone.

This feature allows users to add sequence numbers to access list entries and resequence them. When a user adds a new entry, the user chooses the sequence number so that it is in a desired position in the access list. If necessary, entries currently in the access list can be resequenced to create room to insert the new entry.

Sequence Numbering Behavior

For backward compatibility with previous releases, if entries with no sequence numbers are applied, the first entry is assigned a sequence number of 10, and successive entries are incremented by 10. The maximum sequence number is 2147483647. If the generated sequence number exceeds this maximum number, the following message is displayed:

	Exceeded maximum sequence number.

If the user enters an entry without a sequence number, it is assigned a sequence number that is 10 greater than the last sequence number in that access list and is placed at the end of the list.

If the user enters an entry that matches an already existing entry (except for the sequence number), then no changes are made.

If the user enters a sequence number that is already present, the following error message is generated:

	Duplicate sequence number.

If a new access list is entered from global configuration mode, then sequence numbers for that access list are generated automatically.

Distributed support is provided so that the sequence numbers of entries in the Route Processor (RP) and line card (LC) are in synchronization at all times.

Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is reloaded, the configured sequence numbers revert to the default sequence starting number and increment. The function is provided for backward compatibility with software releases that do not support sequence numbering.

This feature works with named standard and extended IP access lists. Because the name of an access list can be designated as a number, numbers are acceptable.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco