[c-nsp] issue with basic access-list reordering
Saku Ytti
saku at ytti.fi
Sat Jul 10 05:42:49 EDT 2010
On (2010-07-08 11:25 +0300), John Kougoulos wrote:
> switch#show access-list 40
> Standard IP access list 40
> 10 permit 192.168.2.10
> 15 permit 192.168.2.9
> 20 deny 192.168.2.0, wildcard bits 0.0.0.255
> switch(config-std-nacl)#25 permit 192.168.2.99
> Standard IP access list 40
> 25 permit 192.168.2.99
> 10 permit 192.168.2.10
> 15 permit 192.168.2.9
> 20 deny 192.168.2.0, wildcard bits 0.0.0.255
This is documented[0], quite surprising though.
Consider even this:
xyzzy(config)#ip access-list standard CATURDAY
xyzzy(config-std-nacl)#permit host 1.2.3.4
xyzzy(config-std-nacl)#deny any
xyzzy(config-std-nacl)#permit host 42.42.42.42
Will '42.42.42.42' be allowed by this ACL? Yes, because standard ACLs are
ordered by descending order of IP addresses, not by SEQ numbers.
Luckily new IOS like 12.2SRD and 12.4(24)T will complain on above scenario and
won't allow you to add 42.42.42.42. I would still recommend using solely
extended ACL if at all possible.
[0] http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ts
(few lines above the anchor)
--
++ytti
More information about the cisco-nsp
mailing list