Cisco IOS implements an internal logic to standard ACLs. As discussed previously, part of this logic prevents host statements from being configured after a range statement if the host is a member of that range, as shown in Figure 1.
Another part of the IOS internal logic involves the internal sequencing of standard ACEs. Figure 2 shows the configuration of a standard access list. Range statements that deny three networks are configured first followed by five host statements. The host statements are all valid statements because their host IP addresses are not part of the previously entered range statements.
The show running-config command is used to verify the ACL configuration. Notice that the statements are listed in a different order than they were entered. We will use the show access-lists command to understand the logic behind this.
As shown in Figure 3, the show access-lists command displays ACEs along with their sequence numbers. We might expect the order of the statements in the output to reflect the order in which they were entered. However, the show access-lists output shows that this is not the case.
The order in which the standard ACEs are listed is the sequence used by the IOS to process the list. Notice that the statements are grouped into two sections, host statements followed by range statements. The sequence number indicates the order that the statement was entered, not the order the statement will be processed.
The host statements are listed first but not necessarily in the order that they were entered. The IOS puts host statements in an order using a special hashing function. The resulting order optimizes the search for a host ACL entry.
The range statements are displayed after the host statements. These statements are listed in the order in which they were entered.
Recall that standard and numbered ACLs can be editing using sequence numbers. The sequence number shown in the show access-lists command output is the number used when deleting an individual statement from the list. When inserting a new ACL statement, the sequence number will only affect the location of a range statement in the list. Host statements will always be put in order using the hashing function.
Continuing with the example, after saving the running-configuration the router is reloaded (rebooted). As shown in Figure 3, the show access-lists command displays the ACL in the same order, however the statements have been renumbered. The sequence numbers are now in numerical order.
Note: The hashing function is only applied to host statements in an IPv4 standard access list. The algorithm is not used for IPv4 extended ACLs or IPv6 ACLs. This is because extended and IPv6 ACLs filter on more than just a single source address. The details of the hashing function are beyond the scope of this course.