Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26603
Views
52
Helpful
6
Replies

Access-group vs. Access-class

Go to solution
davidhuynh5
Level 1
Level 1

‎02-25-2009 05:21 AM - edited ‎03-06-2019 04:14 AM

If I apply the acl below. What is the difference between an access-class 13 and access-group 13? Thanks in advance.

access-list 13 permit 10.8.4.199

access-list 13 permit 10.8.4.200

access-list 13 permit 10.8.4.201

access-list 13 permit 10.8.4.202

access-list 13 deny any

!

line vty 0 4

exec-time 15 0

password cisco

login

access-class 105 in

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
adamclarkuk_2
Level 4
Level 4

‎02-25-2009 05:28 AM

Hi

Access-group applies an ACL to an interface and the access-class applies the ACL to your vty access in this case.

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-25-2009 05:28 AM

David

access-group is assigned on an interface and will filter data packets as they enter the interface or as they leave the interface (depending on whether the access-group is applied inbound or outbound). access-class is applied to line vty and controls who is able to remote access to the router or control who to remote access to from the router (depending on whether the access-class is applied inbound (the most common) or is applied outbound).

So if you took the access list 13 from your example and applied it as access-group in on an interface it would allow any ip packet with source address 10.8.4.199, 10.8.4.200, 10.8.4.201, or 10.8.4.202. And if you applied that same access list as access-class in on the vty then it would permite remote access (telnet or SSH) from only those 4 addresses.

HTH

Rick

HTH

Rick

View solution in original post

6 Replies 6

Go to solution
adamclarkuk_2
Level 4
Level 4

‎02-25-2009 05:28 AM

Hi

Access-group applies an ACL to an interface and the access-class applies the ACL to your vty access in this case.

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-25-2009 05:28 AM

David

access-group is assigned on an interface and will filter data packets as they enter the interface or as they leave the interface (depending on whether the access-group is applied inbound or outbound). access-class is applied to line vty and controls who is able to remote access to the router or control who to remote access to from the router (depending on whether the access-class is applied inbound (the most common) or is applied outbound).

So if you took the access list 13 from your example and applied it as access-group in on an interface it would allow any ip packet with source address 10.8.4.199, 10.8.4.200, 10.8.4.201, or 10.8.4.202. And if you applied that same access list as access-class in on the vty then it would permite remote access (telnet or SSH) from only those 4 addresses.

HTH

Rick

HTH

Rick

Go to solution
Daan
Level 1
Level 1
In response to Richard Burts

‎02-04-2019 01:16 PM - edited ‎02-05-2019 06:34 AM

 
0 Helpful

Go to solution
JoshC64
Level 1
Level 1
In response to Richard Burts

‎01-26-2024 01:32 PM

Are there any specific reasons for the syntax as to why access-class is used for VTY and access-group for interface?

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to JoshC64

‎01-26-2024 04:20 PM

As a guess (and having been a software developer for a couple of decades), it might be just as simple that they considered using an ACL so "different" on an interface vs. a VTY, syntax should also be different.

Of course, you could make the counter argument that functionally it's pretty much the same, so it should have the same syntax.

Somethings, though, such decisions are based on the same logic an choosing a favorite color, i.e. no logic, just one choice appeals more to you than the other.

0 Helpful

Go to solution
JoshC64
Level 1
Level 1
In response to Joseph W. Doherty

‎01-26-2024 07:36 PM

Thank you for the reply, I appreciate that. What kind of software
development do you do?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card