Re: ip access-list vs. access-list

From: Godswill Oletu (oletu@inbox.lv)
Date: Mon May 22 2006 - 16:17:53 ART

• Next message: Faryar Zabihi \(fzabihi\): "Badnwidth reservations"
• Previous message: Benny Van de Voorde: "Re: IEWB last 4 labs ?"
• Maybe in reply to: Tony Paterra: "ip access-list vs. access-list"
• Next in thread: Brian McGahan: "RE: ip access-list vs. access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jai,

You will get a better explaination on both here:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080431066.html

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiap_c/ch05/haclflg.htm

IP Options include provisions for time stamps, security, and special routing, though these are good, but might be unneccessary communication for some router, ability to filter them reduce the overhead on the router.

The match feature, give you more fleasibility and control when matching your TCP flags eg +ack, - ack, +psh, etc, etc.

Readup the above two references and you will get a better view.

HTH
Godswill Olwtu

  ----- Original Message -----
  From: Jai Prakash
  To: Godswill Oletu
  Cc: Tony Paterra ; GroupStudy CCIE
  Sent: Monday, May 22, 2006 3:01 PM
  Subject: Re: ip access-list vs. access-list

  Hi Godswill,

    Thanks for knowing us such a big diff between these two statement. I was not aware of this feature.They way to administrator the access-list, is also helpfull to operate.

  What the keyword "option" mean and in which senario it can be use?

  Which senario "match-all" and "match-any" can be use?

  Best Regards,
  Jai

   
  On 5/22/06, Godswill Oletu <oletu@inbox.lv> wrote:
    Yes, there are tons of difference between them. No, the difference is not
    the editing/lack thereof of one. You can edit 'access-list statements' as
    much as you can edit the 'ip access-list statements".

    The access-list statements are subsets of the ip access-list statement
    eg
    !
    access-list 10 permit 10.1.1.1
    access-list 10 permit 20.1.1.1
    access-list 10 permit 30.1.1.1
    access-list 10 permit 40.1.1.1
    !
    R3640-R1#sh access-lists
    Standard IP access list 10
       10 permit 10.1.1.1
       20 permit 20.1.1.1
       30 permit 30.1.1.1
       40 permit 40.1.1.1
    R3640-R1#

    You see that, my access-list have been numbered for me, if I want to edit it
    and remove line 20, all I need do is:
    !
    ip access-list standard 10
    no 20
    !
    R3640-R1#sh access-lists
    Standard IP access list 10
       10 permit 10.1.1.1
       30 permit 30.1.1.1
       40 permit 40.1.1.1
    R3640-R1#

    Access list line 20 is gone! You can the 'ip access-list resequence' command
    to rearrange the numbering.

    R3640-R1#show run | beg access-list
    access-list 10 permit 10.1.1.1
    access-list 10 permit 30.1.1.1
    access-list 10 permit 40.1.1.1

    I am still using the access-list statements and not the ip access-list
    equivalent.

    Now, what are the difference? There are tons of differences between both
    when you come to the extended access list. The 'ip access-list extended
    <name>' have more filtering features and abilities than their 'access-list
    <100-199> or <2000-2699>' counterparts.

    eg:

    R3640-R1(config)#ip access-list extended so-kool
    R3640-R1(config-ext-nacl)#permit tcp any any ?
    ack Match on the ACK bit
    dscp Match packets with given dscp value
    eq Match only packets on a given port number
    established Match established connections
    fin Match on the FIN bit
    fragments Check non-initial fragments
    gt Match only packets with a greater port number
    log Log matches against this entry
    log-input Log matches against this entry, including input interface
    lt Match only packets with a lower port number
    match-all Match if all specified flags are present
    match-any Match if any specified flag is present
    neq Match only packets not on a given port number
    option Match packets with given IP Options value
    precedence Match packets with given precedence value
    psh Match on the PSH bit
    range Match only packets in the range of port numbers
    reflect Create reflexive access list entry
    rst Match on the RST bit
    syn Match on the SYN bit
    time-range Specify a time-range
    tos Match packets with given TOS value
    urg Match on the URG bit
    <cr>

    You notice all those kool stuffs like 'match-all, match-any, option,
    reflect'

    R3640-R1(config)#access-list 110 permit tcp any any ?
    ack Match on the ACK bit
    dscp Match packets with given dscp value
    eq Match only packets on a given port number
    established Match established connections
    fin Match on the FIN bit
    fragments Check non-initial fragments
    gt Match only packets with a greater port number
    log Log matches against this entry
    log-input Log matches against this entry, including input interface
    lt Match only packets with a lower port number
    neq Match only packets not on a given port number
    precedence Match packets with given precedence value
    psh Match on the PSH bit
    range Match only packets in the range of port numbers
    rst Match on the RST bit
    syn Match on the SYN bit
    time-range Specify a time-range
    tos Match packets with given TOS value
    urg Match on the URG bit
    <cr>

    R3640-R1(config)#access-list 110 permit tcp any any

    You see that, those kool stuffs and features are missing here.....

    HTH
    Godswill Oletu

    ----- Original Message -----
    From: "Jai Prakash" <jpjsr06@gmail.com>
    To: "Tony Paterra" < apaterra@gmail.com>
    Cc: "GroupStudy CCIE" <ccielab@groupstudy.com>
    Sent: Monday, May 22, 2006 1:38 PM
    Subject: Re: ip access-list vs. access-list

> Hi Tony,
>
> Yes you are right. Administrating the access-list with "ip access-list"
> command is more easy and friendly compare to "access-list". If you want to
> remove any statement from access-list, you can do easily by removing
> specific satement in case of "ip access-list". But, same activity with
> "access-list" is bit difficulat i.e to remove any specific statement from
> list , you have to remove all access-list statement and add all again
    except
> that specific statement.By applying with this method, you have to take
> precaution.
>
> "ip access-list" command in Routers and Swtiches works same like
    access-list
> work in Firewall environment.
>
> Best Regards,
> Jai
>
>
> On 5/22/06, Tony Paterra <apaterra@gmail.com> wrote:
> >
> > Is there any real difference between these two commands? All I'm
> > seeing is that "ip access-list" offers a friendlier interface when it
> > comes to editing/sequencing... I can't find any docs to say anything
> > much more than that.
> >
> > Thanks in advance,
> > Tony Paterra
> > apaterra@gmail.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Faryar Zabihi \(fzabihi\): "Badnwidth reservations"
• Previous message: Benny Van de Voorde: "Re: IEWB last 4 labs ?"
• Maybe in reply to: Tony Paterra: "ip access-list vs. access-list"
• Next in thread: Brian McGahan: "RE: ip access-list vs. access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART