cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
227
Views
0
Helpful
3
Replies
Highlighted
Beginner

Odd ACL behavior

Hello,

Could anyone please shed some light on this?

Router(config)#ip access-list s 22
Router(config-std-nacl)#permit host 10.0.0.1
Router(config-std-nacl)#deny host 11.0.0.1
Router(config-std-nacl)#permit host 12.0.0.1
Router(config-std-nacl)#deny host 13.0.0.1
Router(config-std-nacl)#permit any
Router(config-std-nacl)#exit

Router(config)#do sho ip access-l
Standard IP access list 22
    20 deny   11.0.0.1
    10 permit 10.0.0.1
    40 deny   13.0.0.1
    30 permit 12.0.0.1
    50 permit any
Router(config)#

I'm not sure I understand why the router re-ordered the access list statements. This is on IOS 15.2, but 12.4 does the same thing. It gets really weird when I want to manage the ACL by sequence numbers

Router(config)#
Router(config)#ip access-l s 22
Router(config-std-nacl)#5 deny host 10.0.0.2
Router(config-std-nacl)#7 permit 10.0.0.128 0.0.0.127
Router(config-std-nacl)#exit
Router(config)#do sho access-l
Standard IP access list 22
    5 deny   10.0.0.2
    20 deny   11.0.0.1
    10 permit 10.0.0.1
    40 deny   13.0.0.1
    30 permit 12.0.0.1
    7 permit 10.0.0.128, wildcard bits 0.0.0.127
    50 permit any
Router(config)#

Line 7 ends up under line 30... is there an automatic more-to-less specific thing going on here?

Thanks

Everyone's tags (3)
3 REPLIES 3
Hall of Fame Master

Odd ACL behavior

Yes. It has been a consistent behavior of IOS (though not so well documented) that for standard access lists it will place the more specific host entries ahead of less specific subnet and network entries.

HTH

Rick

Beginner

Odd ACL behavior

Richard,

Thank You. Any inkling as to why it re-orders the host statements? When I did the input, the order was 10,11,12,13. The show has it in 11,10,13,12 order. None of those addresses are more-specific, bit wise at least....

Thanks

Hall of Fame Master

Odd ACL behavior

I do not have an explanation of why the host entries in your first series of entries were changed. I can only explain (sort of) why line 7 moved to almost the bottom of the access list.

Perhaps someone else in the forum has an explanation of why the initial host entries changed from the original order of entry.

HTH

Rick

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards