Re: Incorrect order of acl entries

thorsten.steffen · ‎07-02-2007

Hi,

on some routers we use acls.

For example:

access-list 1 permit 1.1.1.1

access-list 1 permit 2.2.2.2

access-list 1 permit 3.3.3.3

But after typing the lines the order in the configuration (sh run / sh access-list) is not the same as the one I typed the lines.

For example:

access-list 1 permit 2.2.2.2

access-list 1 permit 1.1.1.1

access-list 1 permit 3.3.3.3

Does anybody know if this is a known bug or something like that?

I tested several platforms and several current ios versions but every time I noticed this behaviour.

Many thanks

Thorsten Steffen

royalblues · ‎07-03-2007

very strange.

I have never run into such problems.

What is the platforma and in which IOS version are you experiencing this.

Narayan

Pavel Bykov · ‎07-03-2007

Have you tried entering lines one by one? I'm just tryng to make sure it's not copy-paste problem of clipboard.

Does your IOS support sequence numbers?

Try this:

"

ip access-list standard 1

10 permit 1.1.1.1

20 permit 2.2.2.2

30 permit 3.3.3.3

"

Richard Burts · ‎07-03-2007

Thorsten

I am not clear whether the situation that you are running into is really 3 host specific references in the access list or whether this is just a general reference. Perhaps you can clarify this.

I have run into 1 situation where the IOS will change the order of access list statements, and it has had this behavior for a very long time. If you are entering a standard access list (but not an extended access list) and if you enter some subnet or network statements and some host specific statements the IOS will put the host specific statements before the subnet and network statements.

If this is not the situation that you are running into then I suggest that you capture a session in which it shows your configuring an access list in one order and then do show access-list where we see it in a different order. This might help us to understand what is going on.

HTH

Rick

HTH

Rick

thorsten.steffen · ‎07-03-2007

Hi Rick,

meanwhile I did some more tests to answer your questions.

The problem is not 3 host specific but general.

And the problem occurs on many platforms (perhaps on all ones we use).

I tested it on two platforms, the result you can see below.

The acl I used:

access-list 10 remark >>> Test-ACL <<<

access-list 10 remark > Network2 <

access-list 10 permit 3.3.0.0 0.0.255.255

access-list 10 remark > Server1 <

access-list 10 permit 1.1.1.1

access-list 10 remark > Network1 <

access-list 10 permit 2.2.2.0 0.0.0.255

access-list 10 remark > Server2 <

access-list 10 permit 5.5.5.5

--------------

Platform:

cisco WS-C6509-E (R7000) processor

IOS (tm) s72033_rp Software (s72033_rp-ENTSERVICESK9_WAN-M), Version 12.2(18)SXF4

router1(config)#access-list 10 remark >>> Test-ACL <<<

router1(config)#access-list 10 remark > Network2 <

router1(config)#access-list 10 permit 3.3.0.0 0.0.255.255

router1(config)#access-list 10 remark > Server1 <

router1(config)#access-list 10 permit 1.1.1.1

router1(config)#access-list 10 remark > Network1 <

router1(config)#access-list 10 permit 2.2.2.0 0.0.0.255

router1(config)#access-list 10 remark > Server2 <

router1(config)#access-list 10 permit 5.5.5.5

router1(config)#do show access-l 10

Standard IP access list 10

20 permit 1.1.1.1

40 permit 5.5.5.5

10 permit 3.3.0.0, wildcard bits 0.0.255.255

30 permit 2.2.2.0, wildcard bits 0.0.0.255

router1(config)#do sh run | begin access-li

access-list 10 remark > Server1 <

access-list 10 permit 1.1.1.1

access-list 10 remark > Server2 <

access-list 10 permit 5.5.5.5

access-list 10 remark >>> Test-ACL <<<

access-list 10 remark > Network2 <

access-list 10 permit 3.3.0.0 0.0.255.255

access-list 10 remark > Network1 <

access-list 10 permit 2.2.2.0 0.0.0.255

---------------

Platform:

cisco 7206VXR (NPE400) processor IOS (tm) 7200 Software (C7200-JK8S-M), Version 12.2(40)

router2(config)#access-list 10 remark >>> Test-ACL <<<

router2(config)#access-list 10 remark > Network2 <

router2(config)#access-list 10 permit 3.3.0.0 0.0.255.255

router2(config)#access-list 10 remark > Server1 <

router2(config)#access-list 10 permit 1.1.1.1

router2(config)#access-list 10 remark > Network1 <

router2(config)#access-list 10 permit 2.2.2.0 0.0.0.255

router2(config)#access-list 10 remark > Server2 <

router2(config)#access-list 10 permit 5.5.5.5

router2(config)#^Z

router2#show access-lists 10

Standard IP access list 10

permit 1.1.1.1

permit 5.5.5.5

permit 3.3.0.0, wildcard bits 0.0.255.255

permit 2.2.2.0, wildcard bits 0.0.0.255

router2#sh run | begin access-li

access-list 10 remark > Server1 <

access-list 10 permit 1.1.1.1

access-list 10 remark > Server2 <

access-list 10 permit 5.5.5.5

access-list 10 remark >>> Test-ACL <<<

access-list 10 remark > Network2 <

access-list 10 permit 3.3.0.0 0.0.255.255

access-list 10 remark > Network1 <

access-list 10 permit 2.2.2.0 0.0.0.255

------------------

The hint to use "ip access-list standard 10" and to order the lines by numbering them didn't help, too:

router1(config)#ip access-list standard 10

router1(config-std-nacl)# remark >>> Test-ACL <<<

router1(config-std-nacl)# remark > Network2 <

router1(config-std-nacl)#10 permit 3.3.0.0 0.0.255.255

router1(config-std-nacl)# remark > Server1 <

router1(config-std-nacl)#20 permit 1.1.1.1

router1(config-std-nacl)# remark > Network1 <

router1(config-std-nacl)#30 permit 2.2.2.0 0.0.0.255

router1(config-std-nacl)# remark > Server2 <

router1(config-std-nacl)#40 permit 5.5.5.5

router1(config-std-nacl)#do show access-l

router1(config-std-nacl)#do show access-li

router1(config-std-nacl)#do show access-li 10

Standard IP access list 10

20 permit 1.1.1.1

40 permit 5.5.5.5

10 permit 3.3.0.0, wildcard bits 0.0.255.255

30 permit 2.2.2.0, wildcard bits 0.0.0.255

-----

Is there any possibility/command to determine the acl order (e.g. configuration or longest match)

Regards,

Thorsten

Richard Burts · ‎07-04-2007

Thorsten

Thanks for supplying additional details. This shows that it is exactly what I described in my previous post: you are configuring a standard access list and you have 2 network/subnet entries and 2 host specific (default mask 0.0.0.0) entries. The behavior of IOS is to put the host specific entries first. And this is exactly what is happening.

I do not know of any command or anything that you can do to change this behavior. Is it causing a problem? Or is it just that it is behaving in an unexpected way?

HTH

Rick

HTH

Rick

thorsten.steffen · ‎07-05-2007

Hi Rick,

thanks for you answer.

Just one more question to the following output:

----

router1(config)#do show access-l 10

Standard IP access list 10

20 permit 1.1.1.1

40 permit 5.5.5.5

10 permit 3.3.0.0, wildcard bits 0.0.255.255

30 permit 2.2.2.0, wildcard bits 0.0.0.255

-----

Am I right, that the router will use the acl in the order shown above? If yes, why does he number the lines with 20/40/10/30? This is the order I entered the lines.

The behaviour does not cause an operational problem but an cosmetical problem. I want to use remarks to describe every line but the ios changes the assignment of the remark lines.

In our operational environment I use an acl only with hosts which looks like that when I enter it:

access-list 1 remark > SNMP Server <

access-list 1 remark > Spectro-Main <

access-list 1 permit 149.219.3.59

access-list 1 remark > Spectro-Back <

access-list 1 permit 149.219.3.60

access-list 1 remark > MRTG <

access-list 1 permit 149.219.3.58

access-list 1 remark > Spectro-Test <

access-list 1 permit 10.10.100.159

In the configuration the order is changed:

sh run | include access-list

access-list 1 remark > Spectro-Back <

access-list 1 permit 149.219.3.60

access-list 1 remark > SNMP Server <

access-list 1 remark > Spectro-Main <

access-list 1 permit 149.219.3.59

access-list 1 remark > MRTG <

access-list 1 permit 149.219.3.58

access-list 1 remark > Spectro-Test <

access-list 1 permit 10.10.100.159

core1#show access-lists 1

Standard IP access list 1

20 permit 149.219.3.60 (12 matches)

10 permit 149.219.3.59 (20 matches)

30 permit 149.219.3.58

40 permit 10.10.100.159

So there is a change in order which I don't understand. Also the headline remark is now in the middle of the acl.

When I use a second test acl everything looks fine:

access-list 2 remark > headline <

access-list 2 remark > server1 <

access-list 2 permit 1.1.1.1

access-list 2 remark > server2 <

access-list 2 permit 2.2.2.2

access-list 2 remark > server3 <

access-list 2 permit 3.3.3.3

access-list 2 remark > server4 <

access-list 2 permit 4.4.4.4

sh run | include access-l

access-list 2 remark > headline <

access-list 2 remark > server1 <

access-list 2 permit 1.1.1.1

access-list 2 remark > server2 <

access-list 2 permit 2.2.2.2

access-list 2 remark > server3 <

access-list 2 permit 3.3.3.3

access-list 2 remark > server4 <

access-list 2 permit 4.4.4.4

show access-lists 2

Standard IP access list 2

10 permit 1.1.1.1

20 permit 2.2.2.2

30 permit 3.3.3.3

40 permit 4.4.4.4

Do you have an idea what is the reason?

Many thanks in advance,

Thorsten

Omer Ataoglu · ‎11-08-2013

Hi,

I found that named access-list suffer from the same, viewed with "sh run" as wel as shown with "show ip access-list" :

#sh ip access-list SNMP_Access

Standard IP access list SNMP_Access

100 permit 10.172.32.159

120 permit 10.1.10.73

20 permit 10.172.32.223

110 permit 10.172.32.246

10 permit 10.172.32.3

60 permit 10.172.122.4

30 permit 10.172.122.1

40 permit 10.172.122.2

50 permit 10.172.122.3

70 permit 10.174.48.114

80 permit 10.172.32.118

90 permit 10.172.32.119

WS-C2960S-48TD-L

System image file is "flash:/c2960s-universalk9-mz.122-55.SE5/c2960s-universalk9-mz.122-55.SE5.bin"

Till now I have found nothing about this in release notes, that this is a known bug or a fixed caveat.

Omer Ataoglu · ‎01-11-2019

newer version of IOS still has the same issue

Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(6)E1, RELEASE SOFTWARE (fc4)

A5ws01#show access-list SNMP_Access
Standard IP access list SNMP_Access
10 permit 10.174.48.140 (177698 matches)
70 permit 10.171.172.122 (26440 matches)
80 permit 10.171.172.119
20 permit 10.174.48.19 (282028 matches)
100 permit 172.23.1.8 (25560 matches)
90 permit 172.23.1.4 (25284 matches)
30 permit 10.172.122.5
40 permit 10.172.122.6
50 permit 10.172.32.118
60 permit 10.172.32.119
110 deny any log

Mark Malone · ‎01-11-2019

Hi
have you tried to resequence the ACL ,, this can put them back in order when viewing it

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-acl-seq-num.html#GUID-94881383-E47A-4EDF-B163-10625BE1544F

https://community.cisco.com/t5/networking-documents/the-ip-access-list-resequence-command-causes-an-unexpected/ta-p/3125167