Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
3
Replies

Odd ACL behavior

riedmueller
Level 1
Level 1

‎06-11-2013 11:32 AM - edited ‎03-07-2019 01:50 PM

Hello,

Could anyone please shed some light on this?

Router(config)#ip access-list s 22
Router(config-std-nacl)#permit host 10.0.0.1
Router(config-std-nacl)#deny host 11.0.0.1
Router(config-std-nacl)#permit host 12.0.0.1
Router(config-std-nacl)#deny host 13.0.0.1
Router(config-std-nacl)#permit any
Router(config-std-nacl)#exit
Router(config)#do sho ip access-l
Standard IP access list 22
    20 deny   11.0.0.1
    10 permit 10.0.0.1
    40 deny   13.0.0.1
    30 permit 12.0.0.1
    50 permit any
Router(config)#

I'm not sure I understand why the router re-ordered the access list statements. This is on IOS 15.2, but 12.4 does the same thing. It gets really weird when I want to manage the ACL by sequence numbers

Router(config)#
Router(config)#ip access-l s 22
Router(config-std-nacl)#5 deny host 10.0.0.2
Router(config-std-nacl)#7 permit 10.0.0.128 0.0.0.127
Router(config-std-nacl)#exit
Router(config)#do sho access-l
Standard IP access list 22
    5 deny   10.0.0.2
    20 deny   11.0.0.1
    10 permit 10.0.0.1
    40 deny   13.0.0.1
    30 permit 12.0.0.1
    7 permit 10.0.0.128, wildcard bits 0.0.0.127
    50 permit any
Router(config)#

Line 7 ends up under line 30... is there an automatic more-to-less specific thing going on here?

Thanks

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎06-11-2013 12:41 PM

Yes. It has been a consistent behavior of IOS (though not so well documented) that for standard access lists it will place the more specific host entries ahead of less specific subnet and network entries.

HTH

Rick

HTH

Rick
0 Helpful

riedmueller
Level 1
Level 1
In response to Richard Burts

‎06-11-2013 01:18 PM

Richard,

Thank You. Any inkling as to why it re-orders the host statements? When I did the input, the order was 10,11,12,13. The show has it in 11,10,13,12 order. None of those addresses are more-specific, bit wise at least....

Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to riedmueller

‎06-11-2013 01:40 PM

I do not have an explanation of why the host entries in your first series of entries were changed. I can only explain (sort of) why line 7 moved to almost the bottom of the access list.

Perhaps someone else in the forum has an explanation of why the initial host entries changed from the original order of entry.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card