cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2308
Views
5
Helpful
6
Replies

Advantage of access-list over named access-list

dan_track
Level 1
Level 1

Hi,

I like named access-lists, the problem I have is I have a couple of network engineers here and they constantly use the standard access-lists. When I ask them why they say it's out of habit. Can someone please explain if there's any need at all to have a non-named access lists in this day and age?

Thanks

Dan

1 Accepted Solution

Accepted Solutions

In the newer codes , yes they are numbered.You can verify with a "show access-lists" .

View solution in original post

6 Replies 6

glen.grant
VIP Alumni
VIP Alumni

These days there really isn't a difference.If you use a standard access list it can be modified just like a named access list just get into ACL config mode , such as "ip access-list standard 50 " this put you into acl config mode and you modify the list just like a named list . You can modify any existing ACL list like this also , so technically there isn't a difference other than if you actually use a name for the ACL or a standard or extended number for the ACL.

Thanks.

But if you put a "no" statement in doesn't it remove the entire access-list? I thought that was one of the big advantages of named access-lists.

Dan

Not if you are in ACL config mode. Try it on a spare box . It used to be that way when named first came out but not anymore.

conf t

ip access-list standard 50

enter, this puts you in acl config mode and you can add and delete items one at a time which is why I say there isn't a lot of difference now. This assumes you aren't still running old 11.X code or early 12.X code . you can also modify any current numbered ACL this way also .

Thanks. Does that mean that each line in the standard or extended list is numbered?

Thanks

Dan

In the newer codes , yes they are numbered.You can verify with a "show access-lists" .

xcz504d1114
Level 4
Level 4

One thing I like about named access-list, is that it allows you to put something meaningful into the configuration, so if I do a "show run interface gi 1/0/1" I see the access-group with "100" that doesn't mean anything to me, if I see "VoIP_QoS" that means a lot more to me. Also it can give an idea of the intention of the ACL, ideally your engineers would put remarks in their access-lists, but I find that is rare, and the ones I typically see in ACL's aren't up to date, configurations have changed etc, old remarks are left in, you get the idea.

HTH,

Craig Miller

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: