Access-group vs. Access-class

Answered Question
Feb 25th, 2009

If I apply the acl below. What is the difference between an access-class 13 and access-group 13? Thanks in advance.

access-list 13 permit 10.8.4.199

access-list 13 permit 10.8.4.200

access-list 13 permit 10.8.4.201

access-list 13 permit 10.8.4.202

access-list 13 deny any

!

line vty 0 4

exec-time 15 0

password cisco

login

access-class 105 in

I have this problem too.
0 votes
Correct Answer by Richard Burts about 7 years 9 months ago

David

access-group is assigned on an interface and will filter data packets as they enter the interface or as they leave the interface (depending on whether the access-group is applied inbound or outbound). access-class is applied to line vty and controls who is able to remote access to the router or control who to remote access to from the router (depending on whether the access-class is applied inbound (the most common) or is applied outbound).

So if you took the access list 13 from your example and applied it as access-group in on an interface it would allow any ip packet with source address 10.8.4.199, 10.8.4.200, 10.8.4.201, or 10.8.4.202. And if you applied that same access list as access-class in on the vty then it would permite remote access (telnet or SSH) from only those 4 addresses.

HTH

Rick

Correct Answer by adamclarkuk_2 about 7 years 9 months ago

Hi

Access-group applies an ACL to an interface and the access-class applies the ACL to your vty access in this case.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
adamclarkuk_2 Wed, 02/25/2009 - 05:28

Hi

Access-group applies an ACL to an interface and the access-class applies the ACL to your vty access in this case.

Correct Answer
Richard Burts Wed, 02/25/2009 - 05:28

David

access-group is assigned on an interface and will filter data packets as they enter the interface or as they leave the interface (depending on whether the access-group is applied inbound or outbound). access-class is applied to line vty and controls who is able to remote access to the router or control who to remote access to from the router (depending on whether the access-class is applied inbound (the most common) or is applied outbound).

So if you took the access list 13 from your example and applied it as access-group in on an interface it would allow any ip packet with source address 10.8.4.199, 10.8.4.200, 10.8.4.201, or 10.8.4.202. And if you applied that same access list as access-class in on the vty then it would permite remote access (telnet or SSH) from only those 4 addresses.

HTH

Rick

Actions

This Discussion