[c-nsp] issue with basic access-list reordering

John Kougoulos koug at intracom.gr
Thu Jul 8 04:25:55 EDT 2010 

On Wed, 7 Jul 2010, Pete Lumbis wrote:

> This is part of standard ACL optimization. This optimization completely
> disregards comments. It's annoying and a bug was filed eons ago about this
> and it was junked as part of expected behavior. See CSCdu55701.
>
> -Pete
>
> On Wed, Jul 7, 2010 at 2:58 PM, Ruben Alvarez <Ruben.Alvarez at nwea.org>wrote:
>
>> Thanks.  That sort of worked.  I was doing a 'no access-list 10' before I
>> added the new list.  But this time I reordered them and it worked.  So I
>> added the remark, added .154, then added .151.  weird.
>>

Have a look at this... it optimizes your wrong line numbering too:

switch#show ver | in IOS
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), 
Version 12.2(50)SG, RELEASE SOFTWARE (fc4)
switch#show access-list 40

switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)#access-list 40 permit 192.168.2.10
switch(config)#access-list 40 deny 192.168.2.0 0.0.0.255
switch(config)#^Z
switch#show access-list 40
Standard IP access list 40
     10 permit 192.168.2.10
     20 deny   192.168.2.0, wildcard bits 0.0.0.255
switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)#ip access
switch(config)#ip access-list st
switch(config)#ip access-list standard 40
switch(config-std-nacl)#15 permit 192.168.2.9
switch(config-std-nacl)#^Z
switch#show access-list 40
Standard IP access list 40
     10 permit 192.168.2.10
     15 permit 192.168.2.9
     20 deny   192.168.2.0, wildcard bits 0.0.0.255
switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)#ip access
switch(config)#ip access-list st
switch(config)#ip access-list standard 40
switch(config-std-nacl)#25 permit 192.168.2.99
switch(config-std-nacl)#^Z
switch#show access-list 40
Standard IP access list 40
     25 permit 192.168.2.99
     10 permit 192.168.2.10
     15 permit 192.168.2.9
     20 deny   192.168.2.0, wildcard bits 0.0.0.255
switch#show run | in list 40
access-list 40 permit 192.168.2.99
access-list 40 permit 192.168.2.10
access-list 40 permit 192.168.2.9
access-list 40 deny   192.168.2.0 0.0.0.255


Regards,
John

More information about the cisco-nsp mailing list