ACL order...

Daniel333Daniel333 Posts: 2,077Member ■■■■■■□□□□
Hey, why is it that we want to keep more specific entries at the top of an ACL? I can't figure out a reason. Seems to me we would want the more general at the top...
-Daniel

Comments

  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users ■■■■■■■■□□
    Daniel333 wrote: »
    Hey, why is it that we want to keep more specific entries at the top of an ACL? I can't figure out a reason. Seems to me we would want the more general at the top...

    Because the acls are read in order and compared in order. Plus since it is very router intensive, you want to get the packet action that you want as quickly as possible.
  • dynamikdynamik Posts: 12,314Banned ■■■■■■■■□□
    Plus, doesn't the first match get applied? If you're matching on the more general ones, you'll never get to the more specific ones.
  • captobviouscaptobvious Posts: 648Member
    dynamik wrote: »
    Plus, doesn't the first match get applied? If you're matching on the more general ones, you'll never get to the more specific ones.
    +1 takes me back to the old Basic days. Heck with number sequencing, it almost looks like a basic program. You have to think top-down when applying acl's.
  • phoeneousphoeneous Go ping yourself... Posts: 2,333Member ■■■■■■■□□□
    Daniel333 wrote: »
    Hey, why is it that we want to keep more specific entries at the top of an ACL? I can't figure out a reason. Seems to me we would want the more general at the top...

    Think of it as a first match checklist. Are you this IP, using this protocol, on this port, going to this destination? Then deny everything else.
Sign In or Register to comment.