RE: Order of ACL statements

From: Kenneth Wygand (KWygand@customonline.com)
Date: Tue Nov 25 2003 - 11:19:06 GMT-3

• Next message: Tony Singh (A): "CAR vs Service policy"
• Previous message: Jonathan V Hays: "RE: How I fixed the network I broke."
• Maybe in reply to: kristof@uk-systems.com: "Order of ACL statements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Kristof,

That is very interesting. Even more interesting is if you paste the
following access list commands:

access-list 14 permit host 1.2.3.4
access-list 14 permit host 1.2.3.5
access-list 14 permit host 1.2.3.6
access-list 14 deny 1.2.0.0 0.0.255.255
access-list 14 permit host 1.2.3.7
access-list 14 permit host 1.2.3.8

The IOS rearranges them in the following manner:

access-list 14 permit host 1.2.3.4
access-list 14 permit host 1.2.3.5
access-list 14 permit host 1.2.3.6
access-list 14 permit host 1.2.3.7
access-list 14 permit host 1.2.3.8
access-list 14 deny 1.2.0.0 0.0.255.255

My only thought is that the commands are sorted by the length of
increasing "wildcard mask bits". I've never seen this stated anywhere
though, so can anyone confirm?

Thanks,

Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, Cisco IPT Design Specialist, MCP, CNA,
Network+, A+
Custom Computer Specialists, Inc.
"Real Engineers Debug in Binary."
-kw

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
kristof@uk-systems.com
Sent: Tuesday, November 25, 2003 7:02 AM
To: ccielab@groupstudy.com
Subject: Order of ACL statements

Group,

on CCO I read:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fsecur_c/ftrafwl/scfacls.htm#1001122

The order of access list statements is important! When
the router is deciding whether to forward or block a
packet, the Cisco IOS software tests the packet against
each criteria statement in the order in which the
statements were created. After a match is found, no
more criteria statements are checked.

But on a router I see:
Router#conf t
access-list 14 permit host 1.2.3.4
access-list 14 permit host 1.2.3.5
access-list 14 permit host 1.2.3.6
access-list 14 permit 20.0.0.0 0.0.255.255
access-list 14 permit host 1.2.3.7
access-list 14 permit host 1.2.3.8
<ctrl-Z>
Router#sh access-lists 14
Standard IP access list 14
    permit 1.2.3.4
    permit 1.2.3.5
    permit 1.2.3.6
    permit 1.2.3.7
    permit 1.2.3.8
    permit 20.0.0.0, wildcard bits 0.0.255.255
Router#

I know the result will be the same, but if the 1.2.3.7
and 1.2.3.8 matches only happen once a year, and the
20.0.0.0/16 1000 times a day, the router will do 2000
checks a day too much.

Can somebody explain??

Kristof.

• Next message: Tony Singh (A): "CAR vs Service policy"
• Previous message: Jonathan V Hays: "RE: How I fixed the network I broke."
• Maybe in reply to: kristof@uk-systems.com: "Order of ACL statements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:17 GMT-3