RE: ip access-list vs. access-list

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Mon May 22 2006 - 16:27:03 ART

• Next message: Leigh Harrison: "Re: Nating a multicast packet"
• Previous message: Faryar Zabihi \(fzabihi\): "Badnwidth reservations"
• Maybe in reply to: Tony Paterra: "ip access-list vs. access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        FYI you can still edit a numbered access-list like a named
access-list though:

Rack1R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R6(config)#access-list 100 permit tcp any any eq telnet
Rack1R6(config)#access-list 100 permit udp any any range 16384 32767
Rack1R6(config)#access-list 100 permit ip any any
Rack1R6(config)#do show access-list 100
Extended IP access list 100
    10 permit tcp any any eq telnet
    20 permit udp any any range 16384 32767
    30 permit ip any any
Rack1R6(config)#ip access-list extended 100
Rack1R6(config-ext-nacl)#no 20 permit udp any any range 16384 32767
Rack1R6(config-ext-nacl)#do show access-list
Extended IP access list 100
    10 permit tcp any any eq telnet
    30 permit ip any any
Rack1R6(config-ext-nacl)#

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Jai Prakash
> Sent: Monday, May 22, 2006 2:01 PM
> To: Godswill Oletu
> Cc: Tony Paterra; GroupStudy CCIE
> Subject: Re: ip access-list vs. access-list
>
> Hi Godswill,
>
> Thanks for knowing us such a big diff between these two statement. I
was
> not aware of this feature.They way to administrator the access-list,
is
> also helpfull to operate.
>
> What the keyword "option" mean and in which senario it can be use?
>
> Which senario "match-all" and "match-any" can be use?
>
> Best Regards,
> Jai
>
>
> On 5/22/06, Godswill Oletu <oletu@inbox.lv> wrote:
> >
> > Yes, there are tons of difference between them. No, the difference
is
> not
> > the editing/lack thereof of one. You can edit 'access-list
statements'
> as
> > much as you can edit the 'ip access-list statements".
> >
> > The access-list statements are subsets of the ip access-list
statement
> > eg
> > !
> > access-list 10 permit 10.1.1.1
> > access-list 10 permit 20.1.1.1
> > access-list 10 permit 30.1.1.1
> > access-list 10 permit 40.1.1.1
> > !
> > R3640-R1#sh access-lists
> > Standard IP access list 10
> > 10 permit 10.1.1.1
> > 20 permit 20.1.1.1
> > 30 permit 30.1.1.1
> > 40 permit 40.1.1.1
> > R3640-R1#
> >
> > You see that, my access-list have been numbered for me, if I want to
> edit
> > it
> > and remove line 20, all I need do is:
> > !
> > ip access-list standard 10
> > no 20
> > !
> > R3640-R1#sh access-lists
> > Standard IP access list 10
> > 10 permit 10.1.1.1
> > 30 permit 30.1.1.1
> > 40 permit 40.1.1.1
> > R3640-R1#
> >
> > Access list line 20 is gone! You can the 'ip access-list resequence'
> > command
> > to rearrange the numbering.
> >
> > R3640-R1#show run | beg access-list
> > access-list 10 permit 10.1.1.1
> > access-list 10 permit 30.1.1.1
> > access-list 10 permit 40.1.1.1
> >
> > I am still using the access-list statements and not the ip
access-list
> > equivalent.
> >
> > Now, what are the difference? There are tons of differences between
both
> > when you come to the extended access list. The 'ip access-list
extended
> > <name>' have more filtering features and abilities than their
'access-
> list
> > <100-199> or <2000-2699>' counterparts.
> >
> > eg:
> >
> > R3640-R1(config)#ip access-list extended so-kool
> > R3640-R1(config-ext-nacl)#permit tcp any any ?
> > ack Match on the ACK bit
> > dscp Match packets with given dscp value
> > eq Match only packets on a given port number
> > established Match established connections
> > fin Match on the FIN bit
> > fragments Check non-initial fragments
> > gt Match only packets with a greater port number
> > log Log matches against this entry
> > log-input Log matches against this entry, including input
interface
> > lt Match only packets with a lower port number
> > match-all Match if all specified flags are present
> > match-any Match if any specified flag is present
> > neq Match only packets not on a given port number
> > option Match packets with given IP Options value
> > precedence Match packets with given precedence value
> > psh Match on the PSH bit
> > range Match only packets in the range of port numbers
> > reflect Create reflexive access list entry
> > rst Match on the RST bit
> > syn Match on the SYN bit
> > time-range Specify a time-range
> > tos Match packets with given TOS value
> > urg Match on the URG bit
> > <cr>
> >
> > You notice all those kool stuffs like 'match-all, match-any, option,
> > reflect'
> >
> > R3640-R1(config)#access-list 110 permit tcp any any ?
> > ack Match on the ACK bit
> > dscp Match packets with given dscp value
> > eq Match only packets on a given port number
> > established Match established connections
> > fin Match on the FIN bit
> > fragments Check non-initial fragments
> > gt Match only packets with a greater port number
> > log Log matches against this entry
> > log-input Log matches against this entry, including input
interface
> > lt Match only packets with a lower port number
> > neq Match only packets not on a given port number
> > precedence Match packets with given precedence value
> > psh Match on the PSH bit
> > range Match only packets in the range of port numbers
> > rst Match on the RST bit
> > syn Match on the SYN bit
> > time-range Specify a time-range
> > tos Match packets with given TOS value
> > urg Match on the URG bit
> > <cr>
> >
> > R3640-R1(config)#access-list 110 permit tcp any any
> >
> > You see that, those kool stuffs and features are missing here.....
> >
> > HTH
> > Godswill Oletu
> >
> >
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Jai Prakash" <jpjsr06@gmail.com>
> > To: "Tony Paterra" <apaterra@gmail.com>
> > Cc: "GroupStudy CCIE" <ccielab@groupstudy.com>
> > Sent: Monday, May 22, 2006 1:38 PM
> > Subject: Re: ip access-list vs. access-list
> >
> >
> > > Hi Tony,
> > >
> > > Yes you are right. Administrating the access-list with "ip
access-
> list"
> > > command is more easy and friendly compare to "access-list". If you
> want
> > to
> > > remove any statement from access-list, you can do easily by
removing
> > > specific satement in case of "ip access-list". But, same activity
with
> > > "access-list" is bit difficulat i.e to remove any specific
statement
> > from
> > > list , you have to remove all access-list statement and add all
again
> > except
> > > that specific statement.By applying with this method, you have to
take
> > > precaution.
> > >
> > > "ip access-list" command in Routers and Swtiches works same like
> > access-list
> > > work in Firewall environment.
> > >
> > > Best Regards,
> > > Jai
> > >
> > >
> > > On 5/22/06, Tony Paterra <apaterra@gmail.com> wrote:
> > > >
> > > > Is there any real difference between these two commands? All
I'm
> > > > seeing is that "ip access-list" offers a friendlier interface
when
> it
> > > > comes to editing/sequencing... I can't find any docs to say
> anything
> > > > much more than that.
> > > >
> > > > Thanks in advance,
> > > > Tony Paterra
> > > > apaterra@gmail.com
> > > >
> > > >
> >

• Next message: Leigh Harrison: "Re: Nating a multicast packet"
• Previous message: Faryar Zabihi \(fzabihi\): "Badnwidth reservations"
• Maybe in reply to: Tony Paterra: "ip access-list vs. access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART