Re: ip access-list vs. access-list

From: Godswill Oletu (oletu@inbox.lv)
Date: Mon May 22 2006 - 15:33:43 ART

• Next message: Jai Prakash: "Re: ip access-list vs. access-list"
• Previous message: Larry Chuon: "Need clarifications"
• Maybe in reply to: Tony Paterra: "ip access-list vs. access-list"
• Next in thread: Jai Prakash: "Re: ip access-list vs. access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes, there are tons of difference between them. No, the difference is not
the editing/lack thereof of one. You can edit 'access-list statements' as
much as you can edit the 'ip access-list statements".

The access-list statements are subsets of the ip access-list statement
eg
!
access-list 10 permit 10.1.1.1
access-list 10 permit 20.1.1.1
access-list 10 permit 30.1.1.1
access-list 10 permit 40.1.1.1
!
R3640-R1#sh access-lists
Standard IP access list 10
    10 permit 10.1.1.1
    20 permit 20.1.1.1
    30 permit 30.1.1.1
    40 permit 40.1.1.1
R3640-R1#

You see that, my access-list have been numbered for me, if I want to edit it
and remove line 20, all I need do is:
!
ip access-list standard 10
no 20
!
R3640-R1#sh access-lists
Standard IP access list 10
    10 permit 10.1.1.1
    30 permit 30.1.1.1
    40 permit 40.1.1.1
R3640-R1#

Access list line 20 is gone! You can the 'ip access-list resequence' command
to rearrange the numbering.

R3640-R1#show run | beg access-list
access-list 10 permit 10.1.1.1
access-list 10 permit 30.1.1.1
access-list 10 permit 40.1.1.1

I am still using the access-list statements and not the ip access-list
equivalent.

Now, what are the difference? There are tons of differences between both
when you come to the extended access list. The 'ip access-list extended
<name>' have more filtering features and abilities than their 'access-list
<100-199> or <2000-2699>' counterparts.

eg:

R3640-R1(config)#ip access-list extended so-kool
R3640-R1(config-ext-nacl)#permit tcp any any ?
  ack Match on the ACK bit
  dscp Match packets with given dscp value
  eq Match only packets on a given port number
  established Match established connections
  fin Match on the FIN bit
  fragments Check non-initial fragments
  gt Match only packets with a greater port number
  log Log matches against this entry
  log-input Log matches against this entry, including input interface
  lt Match only packets with a lower port number
  match-all Match if all specified flags are present
  match-any Match if any specified flag is present
  neq Match only packets not on a given port number
  option Match packets with given IP Options value
  precedence Match packets with given precedence value
  psh Match on the PSH bit
  range Match only packets in the range of port numbers
  reflect Create reflexive access list entry
  rst Match on the RST bit
  syn Match on the SYN bit
  time-range Specify a time-range
  tos Match packets with given TOS value
  urg Match on the URG bit
  <cr>

You notice all those kool stuffs like 'match-all, match-any, option,
reflect'

R3640-R1(config)#access-list 110 permit tcp any any ?
  ack Match on the ACK bit
  dscp Match packets with given dscp value
  eq Match only packets on a given port number
  established Match established connections
  fin Match on the FIN bit
  fragments Check non-initial fragments
  gt Match only packets with a greater port number
  log Log matches against this entry
  log-input Log matches against this entry, including input interface
  lt Match only packets with a lower port number
  neq Match only packets not on a given port number
  precedence Match packets with given precedence value
  psh Match on the PSH bit
  range Match only packets in the range of port numbers
  rst Match on the RST bit
  syn Match on the SYN bit
  time-range Specify a time-range
  tos Match packets with given TOS value
  urg Match on the URG bit
  <cr>

R3640-R1(config)#access-list 110 permit tcp any any

You see that, those kool stuffs and features are missing here.....

HTH
Godswill Oletu

----- Original Message -----
From: "Jai Prakash" <jpjsr06@gmail.com>
To: "Tony Paterra" <apaterra@gmail.com>
Cc: "GroupStudy CCIE" <ccielab@groupstudy.com>
Sent: Monday, May 22, 2006 1:38 PM
Subject: Re: ip access-list vs. access-list

> Hi Tony,
>
> Yes you are right. Administrating the access-list with "ip access-list"
> command is more easy and friendly compare to "access-list". If you want to
> remove any statement from access-list, you can do easily by removing
> specific satement in case of "ip access-list". But, same activity with
> "access-list" is bit difficulat i.e to remove any specific statement from
> list , you have to remove all access-list statement and add all again
except
> that specific statement.By applying with this method, you have to take
> precaution.
>
> "ip access-list" command in Routers and Swtiches works same like
access-list
> work in Firewall environment.
>
> Best Regards,
> Jai
>
>
> On 5/22/06, Tony Paterra <apaterra@gmail.com> wrote:
> >
> > Is there any real difference between these two commands? All I'm
> > seeing is that "ip access-list" offers a friendlier interface when it
> > comes to editing/sequencing... I can't find any docs to say anything
> > much more than that.
> >
> > Thanks in advance,
> > Tony Paterra
> > apaterra@gmail.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Jai Prakash: "Re: ip access-list vs. access-list"
• Previous message: Larry Chuon: "Need clarifications"
• Maybe in reply to: Tony Paterra: "ip access-list vs. access-list"
• Next in thread: Jai Prakash: "Re: ip access-list vs. access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART