From: kristof@uk-systems.com
Date: Tue Nov 25 2003 - 09:02:15 GMT-3
Group,
on CCO I read:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfacls.htm#1001122
The order of access list statements is important! When
the router is deciding whether to forward or block a
packet, the Cisco IOS software tests the packet against
each criteria statement in the order in which the
statements were created. After a match is found, no
more criteria statements are checked.
But on a router I see:
Router#conf t
access-list 14 permit host 1.2.3.4
access-list 14 permit host 1.2.3.5
access-list 14 permit host 1.2.3.6
access-list 14 permit 20.0.0.0 0.0.255.255
access-list 14 permit host 1.2.3.7
access-list 14 permit host 1.2.3.8
<ctrl-Z>
Router#sh access-lists 14
Standard IP access list 14
permit 1.2.3.4
permit 1.2.3.5
permit 1.2.3.6
permit 1.2.3.7
permit 1.2.3.8
permit 20.0.0.0, wildcard bits 0.0.255.255
Router#
I know the result will be the same, but if the 1.2.3.7
and 1.2.3.8 matches only happen once a year, and the
20.0.0.0/16 1000 times a day, the router will do 2000
checks a day too much.
Can somebody explain??
Kristof.
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:17 GMT-3