09-28-2009 06:15 AM - edited 03-06-2019 07:54 AM
Hi,
I like named access-lists, the problem I have is I have a couple of network engineers here and they constantly use the standard access-lists. When I ask them why they say it's out of habit. Can someone please explain if there's any need at all to have a non-named access lists in this day and age?
Thanks
Dan
Solved! Go to Solution.
09-28-2009 07:45 AM
In the newer codes , yes they are numbered.You can verify with a "show access-lists" .
09-28-2009 06:32 AM
These days there really isn't a difference.If you use a standard access list it can be modified just like a named access list just get into ACL config mode , such as "ip access-list standard 50 " this put you into acl config mode and you modify the list just like a named list . You can modify any existing ACL list like this also , so technically there isn't a difference other than if you actually use a name for the ACL or a standard or extended number for the ACL.
09-28-2009 06:39 AM
Thanks.
But if you put a "no" statement in doesn't it remove the entire access-list? I thought that was one of the big advantages of named access-lists.
Dan
09-28-2009 07:00 AM
Not if you are in ACL config mode. Try it on a spare box . It used to be that way when named first came out but not anymore.
conf t
ip access-list standard 50
enter, this puts you in acl config mode and you can add and delete items one at a time which is why I say there isn't a lot of difference now. This assumes you aren't still running old 11.X code or early 12.X code . you can also modify any current numbered ACL this way also .
09-28-2009 07:42 AM
Thanks. Does that mean that each line in the standard or extended list is numbered?
Thanks
Dan
09-28-2009 07:45 AM
In the newer codes , yes they are numbered.You can verify with a "show access-lists" .
09-28-2009 07:51 AM
One thing I like about named access-list, is that it allows you to put something meaningful into the configuration, so if I do a "show run interface gi 1/0/1" I see the access-group with "100" that doesn't mean anything to me, if I see "VoIP_QoS" that means a lot more to me. Also it can give an idea of the intention of the ACL, ideally your engineers would put remarks in their access-lists, but I find that is rare, and the ones I typically see in ACL's aren't up to date, configurations have changed etc, old remarks are left in, you get the idea.
HTH,
Craig Miller
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: