ACL order...

Daniel333Daniel333 Member Posts: 2,077 ■■■■■■□□□□
in CCNA Security
Hey, why is it that we want to keep more specific entries at the top of an ACL? I can't figure out a reason. Seems to me we would want the more general at the top...
-Daniel
· Share on FacebookShare on Twitter

Comments

  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Daniel333 wrote: »
    Hey, why is it that we want to keep more specific entries at the top of an ACL? I can't figure out a reason. Seems to me we would want the more general at the top...

    Because the acls are read in order and compared in order. Plus since it is very router intensive, you want to get the packet action that you want as quickly as possible.
    · Share on FacebookShare on Twitter
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Plus, doesn't the first match get applied? If you're matching on the more general ones, you'll never get to the more specific ones.
    · Share on FacebookShare on Twitter
  • captobviouscaptobvious Member Posts: 648
    dynamik wrote: »
    Plus, doesn't the first match get applied? If you're matching on the more general ones, you'll never get to the more specific ones.
    +1 takes me back to the old Basic days. Heck with number sequencing, it almost looks like a basic program. You have to think top-down when applying acl's.
    WIP
    CCNA:S

    Don't be a dumper!
    · Share on FacebookShare on Twitter
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    Daniel333 wrote: »
    Hey, why is it that we want to keep more specific entries at the top of an ACL? I can't figure out a reason. Seems to me we would want the more general at the top...

    Think of it as a first match checklist. Are you this IP, using this protocol, on this port, going to this destination? Then deny everything else.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.