Access-group vs. Access-class

Answered Question
Feb 25th, 2009
User Badges:

If I apply the acl below. What is the difference between an access-class 13 and access-group 13? Thanks in advance.


access-list 13 permit 10.8.4.199

access-list 13 permit 10.8.4.200

access-list 13 permit 10.8.4.201

access-list 13 permit 10.8.4.202

access-list 13 deny any


!

line vty 0 4

exec-time 15 0

password cisco

login

access-class 105 in


Correct Answer by Richard Burts about 8 years 5 months ago

David


access-group is assigned on an interface and will filter data packets as they enter the interface or as they leave the interface (depending on whether the access-group is applied inbound or outbound). access-class is applied to line vty and controls who is able to remote access to the router or control who to remote access to from the router (depending on whether the access-class is applied inbound (the most common) or is applied outbound).


So if you took the access list 13 from your example and applied it as access-group in on an interface it would allow any ip packet with source address 10.8.4.199, 10.8.4.200, 10.8.4.201, or 10.8.4.202. And if you applied that same access list as access-class in on the vty then it would permite remote access (telnet or SSH) from only those 4 addresses.


HTH


Rick

Correct Answer by adamclarkuk_2 about 8 years 5 months ago

Hi


Access-group applies an ACL to an interface and the access-class applies the ACL to your vty access in this case.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
adamclarkuk_2 Wed, 02/25/2009 - 05:28
User Badges:
  • Silver, 250 points or more

Hi


Access-group applies an ACL to an interface and the access-class applies the ACL to your vty access in this case.

Correct Answer
Richard Burts Wed, 02/25/2009 - 05:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

David


access-group is assigned on an interface and will filter data packets as they enter the interface or as they leave the interface (depending on whether the access-group is applied inbound or outbound). access-class is applied to line vty and controls who is able to remote access to the router or control who to remote access to from the router (depending on whether the access-class is applied inbound (the most common) or is applied outbound).


So if you took the access list 13 from your example and applied it as access-group in on an interface it would allow any ip packet with source address 10.8.4.199, 10.8.4.200, 10.8.4.201, or 10.8.4.202. And if you applied that same access list as access-class in on the vty then it would permite remote access (telnet or SSH) from only those 4 addresses.


HTH


Rick

Actions

This Discussion