07-02-2007 11:00 PM - edited 03-05-2019 05:05 PM
Hi,
on some routers we use acls.
For example:
access-list 1 permit 1.1.1.1
access-list 1 permit 2.2.2.2
access-list 1 permit 3.3.3.3
But after typing the lines the order in the configuration (sh run / sh access-list) is not the same as the one I typed the lines.
For example:
access-list 1 permit 2.2.2.2
access-list 1 permit 1.1.1.1
access-list 1 permit 3.3.3.3
Does anybody know if this is a known bug or something like that?
I tested several platforms and several current ios versions but every time I noticed this behaviour.
Many thanks
Thorsten Steffen
07-03-2007 02:28 AM
very strange.
I have never run into such problems.
What is the platforma and in which IOS version are you experiencing this.
Narayan
07-03-2007 02:53 AM
Have you tried entering lines one by one? I'm just tryng to make sure it's not copy-paste problem of clipboard.
Does your IOS support sequence numbers?
Try this:
"
ip access-list standard 1
10 permit 1.1.1.1
20 permit 2.2.2.2
30 permit 3.3.3.3
"
07-03-2007 06:27 PM
Thorsten
I am not clear whether the situation that you are running into is really 3 host specific references in the access list or whether this is just a general reference. Perhaps you can clarify this.
I have run into 1 situation where the IOS will change the order of access list statements, and it has had this behavior for a very long time. If you are entering a standard access list (but not an extended access list) and if you enter some subnet or network statements and some host specific statements the IOS will put the host specific statements before the subnet and network statements.
If this is not the situation that you are running into then I suggest that you capture a session in which it shows your configuring an access list in one order and then do show access-list where we see it in a different order. This might help us to understand what is going on.
HTH
Rick
07-03-2007 10:36 PM
Hi Rick,
meanwhile I did some more tests to answer your questions.
The problem is not 3 host specific but general.
And the problem occurs on many platforms (perhaps on all ones we use).
I tested it on two platforms, the result you can see below.
The acl I used:
access-list 10 remark >>> Test-ACL <<<
access-list 10 remark > Network2 <
access-list 10 permit 3.3.0.0 0.0.255.255
access-list 10 remark > Server1 <
access-list 10 permit 1.1.1.1
access-list 10 remark > Network1 <
access-list 10 permit 2.2.2.0 0.0.0.255
access-list 10 remark > Server2 <
access-list 10 permit 5.5.5.5
--------------
Platform:
cisco WS-C6509-E (R7000) processor
IOS (tm) s72033_rp Software (s72033_rp-ENTSERVICESK9_WAN-M), Version 12.2(18)SXF4
router1(config)#access-list 10 remark >>> Test-ACL <<<
router1(config)#access-list 10 remark > Network2 <
router1(config)#access-list 10 permit 3.3.0.0 0.0.255.255
router1(config)#access-list 10 remark > Server1 <
router1(config)#access-list 10 permit 1.1.1.1
router1(config)#access-list 10 remark > Network1 <
router1(config)#access-list 10 permit 2.2.2.0 0.0.0.255
router1(config)#access-list 10 remark > Server2 <
router1(config)#access-list 10 permit 5.5.5.5
router1(config)#do show access-l 10
Standard IP access list 10
20 permit 1.1.1.1
40 permit 5.5.5.5
10 permit 3.3.0.0, wildcard bits 0.0.255.255
30 permit 2.2.2.0, wildcard bits 0.0.0.255
router1(config)#do sh run | begin access-li
access-list 10 remark > Server1 <
access-list 10 permit 1.1.1.1
access-list 10 remark > Server2 <
access-list 10 permit 5.5.5.5
access-list 10 remark >>> Test-ACL <<<
access-list 10 remark > Network2 <
access-list 10 permit 3.3.0.0 0.0.255.255
access-list 10 remark > Network1 <
access-list 10 permit 2.2.2.0 0.0.0.255
---------------
Platform:
cisco 7206VXR (NPE400) processor IOS (tm) 7200 Software (C7200-JK8S-M), Version 12.2(40)
router2(config)#access-list 10 remark >>> Test-ACL <<<
router2(config)#access-list 10 remark > Network2 <
router2(config)#access-list 10 permit 3.3.0.0 0.0.255.255
router2(config)#access-list 10 remark > Server1 <
router2(config)#access-list 10 permit 1.1.1.1
router2(config)#access-list 10 remark > Network1 <
router2(config)#access-list 10 permit 2.2.2.0 0.0.0.255
router2(config)#access-list 10 remark > Server2 <
router2(config)#access-list 10 permit 5.5.5.5
router2(config)#^Z
router2#show access-lists 10
Standard IP access list 10
permit 1.1.1.1
permit 5.5.5.5
permit 3.3.0.0, wildcard bits 0.0.255.255
permit 2.2.2.0, wildcard bits 0.0.0.255
router2#sh run | begin access-li
access-list 10 remark > Server1 <
access-list 10 permit 1.1.1.1
access-list 10 remark > Server2 <
access-list 10 permit 5.5.5.5
access-list 10 remark >>> Test-ACL <<<
access-list 10 remark > Network2 <
access-list 10 permit 3.3.0.0 0.0.255.255
access-list 10 remark > Network1 <
access-list 10 permit 2.2.2.0 0.0.0.255
------------------
The hint to use "ip access-list standard 10" and to order the lines by numbering them didn't help, too:
router1(config)#ip access-list standard 10
router1(config-std-nacl)# remark >>> Test-ACL <<<
router1(config-std-nacl)# remark > Network2 <
router1(config-std-nacl)#10 permit 3.3.0.0 0.0.255.255
router1(config-std-nacl)# remark > Server1 <
router1(config-std-nacl)#20 permit 1.1.1.1
router1(config-std-nacl)# remark > Network1 <
router1(config-std-nacl)#30 permit 2.2.2.0 0.0.0.255
router1(config-std-nacl)# remark > Server2 <
router1(config-std-nacl)#40 permit 5.5.5.5
router1(config-std-nacl)#do show access-l
router1(config-std-nacl)#do show access-li
router1(config-std-nacl)#do show access-li 10
Standard IP access list 10
20 permit 1.1.1.1
40 permit 5.5.5.5
10 permit 3.3.0.0, wildcard bits 0.0.255.255
30 permit 2.2.2.0, wildcard bits 0.0.0.255
-----
Is there any possibility/command to determine the acl order (e.g. configuration or longest match)
Regards,
Thorsten
07-04-2007 08:00 AM
Thorsten
Thanks for supplying additional details. This shows that it is exactly what I described in my previous post: you are configuring a standard access list and you have 2 network/subnet entries and 2 host specific (default mask 0.0.0.0) entries. The behavior of IOS is to put the host specific entries first. And this is exactly what is happening.
I do not know of any command or anything that you can do to change this behavior. Is it causing a problem? Or is it just that it is behaving in an unexpected way?
HTH
Rick
07-05-2007 02:00 AM
Hi Rick,
thanks for you answer.
Just one more question to the following output:
----
router1(config)#do show access-l 10
Standard IP access list 10
20 permit 1.1.1.1
40 permit 5.5.5.5
10 permit 3.3.0.0, wildcard bits 0.0.255.255
30 permit 2.2.2.0, wildcard bits 0.0.0.255
-----
Am I right, that the router will use the acl in the order shown above? If yes, why does he number the lines with 20/40/10/30? This is the order I entered the lines.
The behaviour does not cause an operational problem but an cosmetical problem. I want to use remarks to describe every line but the ios changes the assignment of the remark lines.
In our operational environment I use an acl only with hosts which looks like that when I enter it:
access-list 1 remark > SNMP Server <
access-list 1 remark > Spectro-Main <
access-list 1 permit 149.219.3.59
access-list 1 remark > Spectro-Back <
access-list 1 permit 149.219.3.60
access-list 1 remark > MRTG <
access-list 1 permit 149.219.3.58
access-list 1 remark > Spectro-Test <
access-list 1 permit 10.10.100.159
In the configuration the order is changed:
sh run | include access-list
access-list 1 remark > Spectro-Back <
access-list 1 permit 149.219.3.60
access-list 1 remark > SNMP Server <
access-list 1 remark > Spectro-Main <
access-list 1 permit 149.219.3.59
access-list 1 remark > MRTG <
access-list 1 permit 149.219.3.58
access-list 1 remark > Spectro-Test <
access-list 1 permit 10.10.100.159
core1#show access-lists 1
Standard IP access list 1
20 permit 149.219.3.60 (12 matches)
10 permit 149.219.3.59 (20 matches)
30 permit 149.219.3.58
40 permit 10.10.100.159
So there is a change in order which I don't understand. Also the headline remark is now in the middle of the acl.
When I use a second test acl everything looks fine:
access-list 2 remark > headline <
access-list 2 remark > server1 <
access-list 2 permit 1.1.1.1
access-list 2 remark > server2 <
access-list 2 permit 2.2.2.2
access-list 2 remark > server3 <
access-list 2 permit 3.3.3.3
access-list 2 remark > server4 <
access-list 2 permit 4.4.4.4
sh run | include access-l
access-list 2 remark > headline <
access-list 2 remark > server1 <
access-list 2 permit 1.1.1.1
access-list 2 remark > server2 <
access-list 2 permit 2.2.2.2
access-list 2 remark > server3 <
access-list 2 permit 3.3.3.3
access-list 2 remark > server4 <
access-list 2 permit 4.4.4.4
show access-lists 2
Standard IP access list 2
10 permit 1.1.1.1
20 permit 2.2.2.2
30 permit 3.3.3.3
40 permit 4.4.4.4
Do you have an idea what is the reason?
Many thanks in advance,
Thorsten
11-08-2013 07:07 AM
Hi,
I found that named access-list suffer from the same, viewed with "sh run" as wel as shown with "show ip access-list" :
#sh ip access-list SNMP_Access
Standard IP access list SNMP_Access
100 permit 10.172.32.159
120 permit 10.1.10.73
20 permit 10.172.32.223
110 permit 10.172.32.246
10 permit 10.172.32.3
60 permit 10.172.122.4
30 permit 10.172.122.1
40 permit 10.172.122.2
50 permit 10.172.122.3
70 permit 10.174.48.114
80 permit 10.172.32.118
90 permit 10.172.32.119
WS-C2960S-48TD-L
System image file is "flash:/c2960s-universalk9-mz.122-55.SE5/c2960s-universalk9-mz.122-55.SE5.bin"
Till now I have found nothing about this in release notes, that this is a known bug or a fixed caveat.
01-11-2019 05:08 AM
newer version of IOS still has the same issue
Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(6)E1, RELEASE SOFTWARE (fc4)
A5ws01#show access-list SNMP_Access
Standard IP access list SNMP_Access
10 permit 10.174.48.140 (177698 matches)
70 permit 10.171.172.122 (26440 matches)
80 permit 10.171.172.119
20 permit 10.174.48.19 (282028 matches)
100 permit 172.23.1.8 (25560 matches)
90 permit 172.23.1.4 (25284 matches)
30 permit 10.172.122.5
40 permit 10.172.122.6
50 permit 10.172.32.118
60 permit 10.172.32.119
110 deny any log
01-11-2019 05:40 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide