Yet another Access List question I'm afraid 1

[techkiwi]

I'm playing about with standard access lists at the moment and would like to clarify something.

I was always taught that when you enter a new permit or deny statement it was added to the end of the access list. Yet if I enter the following lines in this order

config t
access-list 5 permit 192.168.20.32 0.0.0.3
access-list 5 deny host 192.168.20.33
exit

config t
int fastEthernet 0
ip access-group 5 in
exit

then do a show run they are listed the other way around:


access-list 5 deny 192.168.20.33
access-list 5 permit 192.168.20.32 0.0.0.3

I then add another statement:

access-list 5 deny host 192.168.20.34

and the show run output now is:


access-list 5 deny 192.168.20.33
access-list 5 deny 192.168.20.34
access-list 5 permit 192.168.20.32 0.0.0.3

So it seems that the deny statements are getting grouped together, then the permit statements.

Does this sound normal?

And yes I realise that the way I added them is incorrect, and the way the show run lists the commands is actually correct. Is the router being smart and correcting my input?!

 

[luvcisco]

It is unclear from your information if this is a new ACL or an existing one. Whenever you modify an ACL, you will have to replace the complete list. Just copy to a notepad, add new permit/deny statements and past back in to the router.
Connie

 

[bell1996]

Techkiwi -

I verified your results on my lab router and you are correct. The access list you created is a "standard" access list. I created an "extended" access list and it kept the statements in the order I entered them in. It appears that standard and extended access lists do not behave the same. I'll have to do some research on this and find out why. Unless someone else knows the answer.

 

[techkiwi]

luvcisco, it's a new access list. Yes I realise that when you make any changes to an access list you're meant to erase it and start over. In this case I just used a simple example (with one permit and one deny) to make it easy.

bell1996, thanks for confirming that - wanted to make sure I wasn't going crazy! It just seems different from what I've been taught - it's always been hammered into me that each statement in an access list gets added onto the bottom.

 

[chieftan999]

Not with standard access lists.

I believe they always handle the deny statements first.

I will check.

 

[bell1996]

Ok here's what I found out:

1. The DENY statement is added to the end of the access-list if you're denying a SUBNET.
2. The DENY statement is added to the beginning of the access list if you're denying a HOST.

Which makes sense. If you're going to denying a host you'd want that to be ahead of a deny/permit subnet statements.

Let's say that your PERMIT statement of 192.168.20.0 0.0.0.255 (permit this subnet) is put before of DENY statement of 192.168.20.33 0.0.0.0 (deny this host). Well, the DENY would never be executed due to the fact that the PERMIT statement includes the host 192.168.20.33

I hope this clears things.

I put this in the lab to verify and it works as explained above.

 

[techkiwi]

Yup, makes perfect sense. It just confused me a little because, as I said, I was always taught that whenever you enter any new statement it was added to the end of the access list. But as you say, you should deny hosts before permitting subnets.

So it seems that the IOS will in some ways protect you from making silly mistakes. Guess I just wanted someone to confirm that I wasn't going crazy!

Thanks everyone.