Like everything else, it depends.
For short lists, it doesn't make all that much difference.
For complex lists, I agree that most specific first is far easier to
understand and troubleshoot.
Performance problems with access lists are more likely to be
associated with the fact that an access list is there (i.e., forcing
traffic into a slower switching path) than to be caused by the total
number of rules. The number of rules was more of a concern in early
IOS releases where almost everything was process switched.
The most complex access lists will usually be machine-generated, so
they can be tuned for performance. You'll see some extreme cases in
carriers; I know of a tier 1 ISP that has to restore its
configuration from TFTP, not NVRAM, because NVRAM doesn't hold the
8000-plus access list rules they use.
>the rule of the game for access-list is first specify
>the more specific then go on to the general
>--- Minh Vu <[EMAIL PROTECTED]> wrote:
>> I agreed with Chuck.
>>
>> If your first line in ACL is "Deny ip host 0.0.0.0
>> any", seem to me it will
>> deny all IP regardless you put permit IP after it.
>> (as of my head, router
>> will go from top down, which is check 1st ACL if not
>> match then go to 2nd
>> ACL and if not match then go to 3rd ACL....and so
>> on...) In this case you
>> put the deny any host on your 1st ACL then it match
>> therefore it will drop
>> the packet without go to next ACL.
>>
>>
>> > >ip access-list extended FrameInbound
>> > >deny ip host 0.0.0.0 any
>> > >permit ip 192.168.50.0 0.0.0.255 192.168.5.0
>> 0.0.0.255
>> > >
>>
>>
>>
>> ----- Original Message -----
>> From: "Chuck Larrieu" <[EMAIL PROTECTED]>
>> To: <[EMAIL PROTECTED]>
>> Sent: Friday, December 22, 2000 1:30 PM
>> Subject: RE: Access List/EIGRP Problem
>>
>>
>> > This topic brings up some of the subtleties with
>> regards to access lists.
>> > Now that I am looking into more complex
>> interactions among protocols and
>> > services, I am finding that just about any time I
>> have to engage
>> > access-lists I have to begin thinking in far
>> broader terms than I am used
>> > to. And certainly in far broader terms than
>> several of the well known
>> > introductory and CCNA level books suggest.
>> >
>> > There is nothing like applying a standard access
>> list to an interface,
>> then
>> > a few minutes later seeing your routes disappear!
>> >
>> > Some of the more advanced texts suggest
>> constructing access-lists such
>> that
>> > most specific items appear first, and then filter
>> down to least specific.
>> > Others may suggest that one put the mostly likely
>> to be used things at the
>> > top of the lists and work down.
>> >
>> > I'm getting to the point where I have to remember
>> to put routing protocol
>> > items at the top of my lists.
>> >
>> > I guess what I'm getting to in my rambling way is
>> that access-list
>> > construction and placement is probably more of n
>> art than a science. One
>> > must always consider what one is doing, and why.
>> One must always consider
>> > the law of unintended consequences.
>> >
>> > Happy holidays!
>> >
> > > Chuck
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
