Re: ip access-list vs. access-list

From: Jai Prakash (jpjsr06@gmail.com)
Date: Mon May 22 2006 - 16:01:19 ART

Hi Godswill,

  Thanks for knowing us such a big diff between these two statement. I was
not aware of this feature.They way to administrator the access-list, is
also helpfull to operate.

What the keyword "option" mean and in which senario it can be use?

Which senario "match-all" and "match-any" can be use?

Best Regards,
Jai

On 5/22/06, Godswill Oletu <oletu@inbox.lv> wrote:
>
> Yes, there are tons of difference between them. No, the difference is not
> the editing/lack thereof of one. You can edit 'access-list statements' as
> much as you can edit the 'ip access-list statements".
>
> The access-list statements are subsets of the ip access-list statement
> eg
> !
> access-list 10 permit 10.1.1.1
> access-list 10 permit 20.1.1.1
> access-list 10 permit 30.1.1.1
> access-list 10 permit 40.1.1.1
> !
> R3640-R1#sh access-lists
> Standard IP access list 10
> 10 permit 10.1.1.1
> 20 permit 20.1.1.1
> 30 permit 30.1.1.1
> 40 permit 40.1.1.1
> R3640-R1#
>
> You see that, my access-list have been numbered for me, if I want to edit
> it
> and remove line 20, all I need do is:
> !
> ip access-list standard 10
> no 20
> !
> R3640-R1#sh access-lists
> Standard IP access list 10
> 10 permit 10.1.1.1
> 30 permit 30.1.1.1
> 40 permit 40.1.1.1
> R3640-R1#
>
> Access list line 20 is gone! You can the 'ip access-list resequence'
> command
> to rearrange the numbering.
>
> R3640-R1#show run | beg access-list
> access-list 10 permit 10.1.1.1
> access-list 10 permit 30.1.1.1
> access-list 10 permit 40.1.1.1
>
> I am still using the access-list statements and not the ip access-list
> equivalent.
>
> Now, what are the difference? There are tons of differences between both
> when you come to the extended access list. The 'ip access-list extended
> <name>' have more filtering features and abilities than their 'access-list
> <100-199> or <2000-2699>' counterparts.
>
> eg:
>
> R3640-R1(config)#ip access-list extended so-kool
> R3640-R1(config-ext-nacl)#permit tcp any any ?
> ack Match on the ACK bit
> dscp Match packets with given dscp value
> eq Match only packets on a given port number
> established Match established connections
> fin Match on the FIN bit
> fragments Check non-initial fragments
> gt Match only packets with a greater port number
> log Log matches against this entry
> log-input Log matches against this entry, including input interface
> lt Match only packets with a lower port number
> match-all Match if all specified flags are present
> match-any Match if any specified flag is present
> neq Match only packets not on a given port number
> option Match packets with given IP Options value
> precedence Match packets with given precedence value
> psh Match on the PSH bit
> range Match only packets in the range of port numbers
> reflect Create reflexive access list entry
> rst Match on the RST bit
> syn Match on the SYN bit
> time-range Specify a time-range
> tos Match packets with given TOS value
> urg Match on the URG bit
> <cr>
>
> You notice all those kool stuffs like 'match-all, match-any, option,
> reflect'
>
> R3640-R1(config)#access-list 110 permit tcp any any ?
> ack Match on the ACK bit
> dscp Match packets with given dscp value
> eq Match only packets on a given port number
> established Match established connections
> fin Match on the FIN bit
> fragments Check non-initial fragments
> gt Match only packets with a greater port number
> log Log matches against this entry
> log-input Log matches against this entry, including input interface
> lt Match only packets with a lower port number
> neq Match only packets not on a given port number
> precedence Match packets with given precedence value
> psh Match on the PSH bit
> range Match only packets in the range of port numbers
> rst Match on the RST bit
> syn Match on the SYN bit
> time-range Specify a time-range
> tos Match packets with given TOS value
> urg Match on the URG bit
> <cr>
>
> R3640-R1(config)#access-list 110 permit tcp any any
>
> You see that, those kool stuffs and features are missing here.....
>
> HTH
> Godswill Oletu
>
>
>
>
>
>
>
> ----- Original Message -----
> From: "Jai Prakash" <jpjsr06@gmail.com>
> To: "Tony Paterra" <apaterra@gmail.com>
> Cc: "GroupStudy CCIE" <ccielab@groupstudy.com>
> Sent: Monday, May 22, 2006 1:38 PM
> Subject: Re: ip access-list vs. access-list
>
>
> > Hi Tony,
> >
> > Yes you are right. Administrating the access-list with "ip access-list"
> > command is more easy and friendly compare to "access-list". If you want
> to
> > remove any statement from access-list, you can do easily by removing
> > specific satement in case of "ip access-list". But, same activity with
> > "access-list" is bit difficulat i.e to remove any specific statement
> from
> > list , you have to remove all access-list statement and add all again
> except
> > that specific statement.By applying with this method, you have to take
> > precaution.
> >
> > "ip access-list" command in Routers and Swtiches works same like
> access-list
> > work in Firewall environment.
> >
> > Best Regards,
> > Jai
> >
> >
> > On 5/22/06, Tony Paterra <apaterra@gmail.com> wrote:
> > >
> > > Is there any real difference between these two commands? All I'm
> > > seeing is that "ip access-list" offers a friendlier interface when it
> > > comes to editing/sequencing... I can't find any docs to say anything
> > > much more than that.
> > >
> > > Thanks in advance,
> > > Tony Paterra
> > > apaterra@gmail.com
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART