[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 231
  • Last Modified:

how access listed are processed

I would like to know how access list are processed.
For instance if there is one access list (Access-List 150)
Access-list 10 permit  any host  192.168.1.3
Acces-List 10 permit any any
Access-list 150 deny any host 192.168.1.5

are they processed one after the other, or if there is a match on the first one then the 2 on the bottom will be ignored?

Thanks

0
jskfan
Asked:
jskfan
  • 9
  • 8
  • 3
  • +2
15 Solutions
 
raysonleeCommented:
yes, one after another.
once it's matched, the others will be ignored.
0
 
jeff_01Commented:
Absolutely, ACL's are processed in order from top to bottom until a match is found. Once a match is found that rule is used and all further processing stops.



0
 
Ernie BeekCommented:
Access-list are processed top-down until a match occurs, then they exit the list.
So in this case in ACL 10 you can just as wel have just 'Access-List 10 permit any any'.
Also remember that at the end of an ACL there is always an implicitit 'deny any any', so in the case of ACL 150 nothing is going through.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
raysonleeCommented:
In your example, the first one allows 192.168.1.3 to access any destination.
the second one has spelling error, but it supposed to allow any host access any destination.
the third one deny any incoming traffic to 192.168.1.5
that means the second one already allow all traffic and the third one won't be applied.
0
 
Don JohnstonInstructorCommented:
>Access-list 10 permit  any host  192.168.1.3
>Acces-List 10 permit any any
>Access-list 150 deny any host 192.168.1.5

>are they processed one after the other, or if there is a match on the first one then the >2 on the bottom will be ignored?

Neither. You have two separate access-lists. Since you can only have one access list per interface per direction, only one of these ACLs will be in force for a particular flow of traffic.

If you are using ACL 10 to test inbound traffic then the first statement is checked. If it matches, the packet is allowed and the second line is not checked.

If the first line doesn't match, then the second line is checked. That line WILL match (permit any).

If the second line didn't match (not that it could, but for the sake of clarity), then the packet would be denied by the implicit deny all. The third line would NOT be checked because it's a different ACL (150).

The other issue is the syntax of your statements have errors.

The should be:

access-list 10 permit  host  192.168.1.3
access-list 10 permit any
access-list 150 deny ip any host 192.168.1.5
0
 
jskfanAuthor Commented:

Are the following examples correct ?

Example 1
access-list 10 permit  any host  192.168.1.3
access-list 10 permit  any host  192.168.1.4
access-list 10 permit  any host  192.168.1.5
all of 3 above will be checked and the implicit deny will be applied at the end.

Example2
access-list 10 permit  any any
access-list 10 permit  any host  192.168.1.5

the first ACL will be check the second will be ignored
and the implicit deny will be applied at the end.

0
 
Ernie BeekCommented:
Almost, with the second example the first line will always be a match so the rest will be ignored.

But you're getting good at it :)
0
 
Don JohnstonInstructorCommented:
The ACLs are inconsistent.

Standard ACLs can ONLY check the source address. When you enter this list, everything after the first "any" will be ignored.

So you will end up with a single statement of:

access-list 10 permit any

Your examples should read:

Example 1
access-list 10 permit  host  192.168.1.3
access-list 10 permit  host  192.168.1.4
access-list 10 permit  host  192.168.1.5

Example2
access-list 10 permit  any
access-list 10 permit  host  192.168.1.5
0
 
Ernie BeekCommented:
And I am starting to forget the difference between standard and extended :-~
Thx donjohnston :)
0
 
jskfanAuthor Commented:
Actually what I wanted to know is when you have one access-list but more than one statement, more than one line.
is there any rule of thumb that says, when you find the first match ignore the rest and when you should proceed to the next line ??
0
 
Ernie BeekCommented:
Well, that is the rule: an access list is processed top-down until there is a match, then that rule will be applied and the rest will be skipped.
0
 
jskfanAuthor Commented:
But
for instance with the ACL below, even if there is a  match on  the first line, it will still proceed with the 2nd and 3rd lines
access-list 10 permit  any host  192.168.1.3
access-list 10 permit  any host  192.168.1.4
access-list 10 permit  any host  192.168.1.5
0
 
Ernie BeekCommented:
No, it won't. After a match it's exit.

Or did you experience otherwise?
0
 
Don JohnstonInstructorCommented:
>But for instance with the ACL below, even if there is a  match on  the first line, it will still proceed with the 2nd and 3rd lines

No. Once a match occurs, there is no further processing of the ACL.

0
 
jskfanAuthor Commented:
**So if you have Hosts from different subnets that you want to permit, you will have to create separate Access lists. in The example above the host are in the same subnets.

**just for assurance, even when there is a match the Implicit Deny will still not be ignored. correct?
0
 
Ernie BeekCommented:
1: not necessarily, you put an access list on an interface. If all those subnets are routed through that interface you can suffice with one acl.
2: yes it will, because there was allready a match (so exit acl). Only when there is no match in the list you created the deny all will kick in as a last resort: if nothing matches, deny/drop the packet.
0
 
jskfanAuthor Commented:
I meant if I have this:
access-list 10 permit  any host  192.168.1.3
access-list 10 permit  any host  192.168.4.4
access-list 10 permit  any host  192.168.20.5

then if there is a match with the first line :access-list 10 permit  any host  192.168.1.3

should it ignore the other 2 beneath it ?

0
 
Ernie BeekCommented:
Yes, that is also a reason why you always have to think carefully when setting up an access list.
A rule of thumb is to start with the most granular and work your way down to the most global.
So first: hosts then subnets then networks and then 'any'.
0
 
jskfanAuthor Commented:
how would you configure the access list in this case?
access-list 10 permit  any host  192.168.1.3
access-list 10 permit  any host  192.168.4.4
access-list 10 permit  any host  192.168.20.5

I believe you can create separate access lists.[10,20,30] that would make it simple.

0
 
Ernie BeekCommented:
Well no. You can only apply one access list on an interface.

In this case it doesn't matter in what order you put them (granularity is the same, all permits) so I normally order them by ip (low number-high number) to give it some sort of logic. And it looks neater ;)
0
 
jskfanAuthor Commented:
so putting them this way , is correct ?
access-list 10 permit  any host  192.168.1.3
access-list 10 permit  any host  192.168.4.4
access-list 10 permit  any host  192.168.20.5

0
 
Ernie BeekCommented:
Almost, I forgot the difference between standard and extended access list again :-~
So a standard access list would be:

access-list 10 permit host  192.168.1.3
access-list 10 permit host  192.168.4.4
access-list 10 permit host  192.168.20.5

And an extended access list would be:

access-list 10 permit ip any host 192.168.1.3
access-list 10 permit ip any host 192.168.4.4
access-list 10 permit ip any host 192.168.20.5
0
 
jskfanAuthor Commented:
Thank you Guys!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 8
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now