ACL order...

Hey, why is it that we want to keep more specific entries at the top of an ACL? I can't figure out a reason. Seems to me we would want the more general at the top...

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

Bl8ckr0uter

Daniel333 wrote: »

Hey, why is it that we want to keep more specific entries at the top of an ACL? I can't figure out a reason. Seems to me we would want the more general at the top...

Because the acls are read in order and compared in order. Plus since it is very router intensive, you want to get the packet action that you want as quickly as possible.

dynamik

Plus, doesn't the first match get applied? If you're matching on the more general ones, you'll never get to the more specific ones.

captobvious

dynamik wrote: »

Plus, doesn't the first match get applied? If you're matching on the more general ones, you'll never get to the more specific ones.

+1 takes me back to the old Basic days. Heck with number sequencing, it almost looks like a basic program. You have to think top-down when applying acl's.