×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACCESS LIST V/S IP ACCESS LIST

Answered Question
Apr 24th, 2012
User Badges:

Hello Experts,


What is a major difference in using access-list and IP access-list. During these days what command basically being used or else it is based on IOS running on devices like router and Switch. Thanks.

Correct Answer by Peter Paluch about 5 years 3 months ago

Hello Ray,


The access-list command is used to define a numbered ACL, meaning that the ACL will be identified in the configuration by its number. This number also designates the type of this ACL, i.e. standard IP, extended IP, MAC, etc. See here:


Router(config)#access-list ?

  <1-99>            IP standard access list

  <100-199>         IP extended access list

  <1100-1199>       Extended 48-bit MAC address access list

  <1300-1999>       IP standard access list (expanded range)

  <200-299>         Protocol type-code access list

  <2000-2699>       IP extended access list (expanded range)

  <700-799>         48-bit MAC address access list


Following this help output, if you want to define a standard IP ACL, it has to be identified by a number in the range 1-99 or 1300-1999. Analogously, if you want to define an extended IP ACL, it must be numbered from the range 100-199 or 2000-2699. MAC ACLs would use the range 700-799 for standard ACL and 1100-1199 for extended ACL.


The ip access-list command defines a named IPv4 ACL, either standard or extended. A named IP ACL is totally equivalent to a numbered IP ACL in its behavior - the only difference is in the way it is configured and referenced in the configuration. Also, using the ip access-list command, you can not define different types of ACLs like MAC ACLs. Otherwise, a named and a numbered ACLs behave identically.


For example, these two ACLs would provide identical results:


access-list 1 deny host 192.0.2.4

access-list 1 deny 192.0.2.128 0.0.0.127

access-list 1 permit any


ip access-list standard MyACL1

  deny host 192.0.2.4

  deny 192.0.2.128 0.0.0.127

  permit any


Also, these two ACLs would provide identical results:


access-list 100 permit tcp any any eq 80

access-list 100 permit tcp any any eq 443

access-list 100 permit udp any host 192.0.2.1 eq 53


ip access-list extended MyACL2

  permit tcp any any eq 80

  permit tcp any any eq 443

  permit udp any host 192.0.2.1 eq 53


Apart from the obvious advantage of giving ACLs meaningful names instead of just numbers, the named ACLs have another advantage: they can actually be edited. Numbered ACLs cannot really be edited - you can only add new entries to their end but if you need to remove or replace an entry, you need to remove the entire ACL and enter it anew. With named ACLs, it is actually possible to perform in-place editing.


Let's take the last named ACL I've posted. If you perform show ip access-lists you will get the following output:


Router#show ip access-lists

Extended IP access list MyACL2

    10 permit tcp any any eq www

    20 permit tcp any any eq 443

    30 permit udp any host 192.0.2.1 eq domain


Note the numbers 10,20,30 at the each line. They allow you to remove that particular line or insert a new line between them. For example, if I wanted to insert a new rule between the first and second entry, it would be done as follows:


ip access-list extended MyACL2

  15 permit tcp any any eq 110


Now the show ip access-lists would say:


Extended IP access list MyACL2

    10 permit tcp any any eq www

    15 permit tcp any any eq pop3

    20 permit tcp any any eq 443

    30 permit udp any host 192.0.2.1 eq domain


I could use any number between 11 and 19, inclusive.


Now, if I wanted to remove the line 30 (the one permitting the DNS access), the command would be:


ip access-list extended MyACL2

no 30


The show ip access-lists would now produce:


Extended IP access list MyACL2

    10 permit tcp any any eq www

    15 permit tcp any any eq pop3

    20 permit tcp any any eq 443


These numbers are not really stored in the configuration - they are only runtime-remembered. If you restart the router, they will be reset again to 10,20,30,etc. In case you need to resequence the ACL without restarting the router, you can use the command ip access-list resequence MyACL2 10 10 where the first "10" number specifies the starting number of the ACL entry, and the second "10" represents the increment. After entering this command in the global configuration mode, the show ip access-lists again shows:


Extended IP access list MyACL2

    10 permit tcp any any eq www

    20 permit tcp any any eq pop3

    30 permit tcp any any eq 443


So to wrap it up, numbered ACLs and named ACLs defined using the ip access-list command have the same effect. However, the named ACLs are more flexible in the way they are defined, managed and referenced.


Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (7 ratings)
Loading.
cashqoo Tue, 04/24/2012 - 20:01
User Badges:

if i remember correctly, access-list cannot filter based on port number.

for example if i need to deny port number 80, i need to use ip access-list.


usually i configured access-list on firewalls, instead of doing at routers (as my CPE router are managed by service providers) and switches.


hth

ray_stone Tue, 04/24/2012 - 21:50
User Badges:

Need more reviews on this to get the things cleared. If possible then please provide an example. Thanks..!!

Correct Answer
Peter Paluch Wed, 04/25/2012 - 01:21
User Badges:
  • Cisco Employee,

Hello Ray,


The access-list command is used to define a numbered ACL, meaning that the ACL will be identified in the configuration by its number. This number also designates the type of this ACL, i.e. standard IP, extended IP, MAC, etc. See here:


Router(config)#access-list ?

  <1-99>            IP standard access list

  <100-199>         IP extended access list

  <1100-1199>       Extended 48-bit MAC address access list

  <1300-1999>       IP standard access list (expanded range)

  <200-299>         Protocol type-code access list

  <2000-2699>       IP extended access list (expanded range)

  <700-799>         48-bit MAC address access list


Following this help output, if you want to define a standard IP ACL, it has to be identified by a number in the range 1-99 or 1300-1999. Analogously, if you want to define an extended IP ACL, it must be numbered from the range 100-199 or 2000-2699. MAC ACLs would use the range 700-799 for standard ACL and 1100-1199 for extended ACL.


The ip access-list command defines a named IPv4 ACL, either standard or extended. A named IP ACL is totally equivalent to a numbered IP ACL in its behavior - the only difference is in the way it is configured and referenced in the configuration. Also, using the ip access-list command, you can not define different types of ACLs like MAC ACLs. Otherwise, a named and a numbered ACLs behave identically.


For example, these two ACLs would provide identical results:


access-list 1 deny host 192.0.2.4

access-list 1 deny 192.0.2.128 0.0.0.127

access-list 1 permit any


ip access-list standard MyACL1

  deny host 192.0.2.4

  deny 192.0.2.128 0.0.0.127

  permit any


Also, these two ACLs would provide identical results:


access-list 100 permit tcp any any eq 80

access-list 100 permit tcp any any eq 443

access-list 100 permit udp any host 192.0.2.1 eq 53


ip access-list extended MyACL2

  permit tcp any any eq 80

  permit tcp any any eq 443

  permit udp any host 192.0.2.1 eq 53


Apart from the obvious advantage of giving ACLs meaningful names instead of just numbers, the named ACLs have another advantage: they can actually be edited. Numbered ACLs cannot really be edited - you can only add new entries to their end but if you need to remove or replace an entry, you need to remove the entire ACL and enter it anew. With named ACLs, it is actually possible to perform in-place editing.


Let's take the last named ACL I've posted. If you perform show ip access-lists you will get the following output:


Router#show ip access-lists

Extended IP access list MyACL2

    10 permit tcp any any eq www

    20 permit tcp any any eq 443

    30 permit udp any host 192.0.2.1 eq domain


Note the numbers 10,20,30 at the each line. They allow you to remove that particular line or insert a new line between them. For example, if I wanted to insert a new rule between the first and second entry, it would be done as follows:


ip access-list extended MyACL2

  15 permit tcp any any eq 110


Now the show ip access-lists would say:


Extended IP access list MyACL2

    10 permit tcp any any eq www

    15 permit tcp any any eq pop3

    20 permit tcp any any eq 443

    30 permit udp any host 192.0.2.1 eq domain


I could use any number between 11 and 19, inclusive.


Now, if I wanted to remove the line 30 (the one permitting the DNS access), the command would be:


ip access-list extended MyACL2

no 30


The show ip access-lists would now produce:


Extended IP access list MyACL2

    10 permit tcp any any eq www

    15 permit tcp any any eq pop3

    20 permit tcp any any eq 443


These numbers are not really stored in the configuration - they are only runtime-remembered. If you restart the router, they will be reset again to 10,20,30,etc. In case you need to resequence the ACL without restarting the router, you can use the command ip access-list resequence MyACL2 10 10 where the first "10" number specifies the starting number of the ACL entry, and the second "10" represents the increment. After entering this command in the global configuration mode, the show ip access-lists again shows:


Extended IP access list MyACL2

    10 permit tcp any any eq www

    20 permit tcp any any eq pop3

    30 permit tcp any any eq 443


So to wrap it up, numbered ACLs and named ACLs defined using the ip access-list command have the same effect. However, the named ACLs are more flexible in the way they are defined, managed and referenced.


Best regards,

Peter

John Blakley Wed, 04/25/2012 - 04:23
User Badges:
  • Purple, 4500 points or more

Peter,


Awesome response! Just a side note. You can edit extended numbered ACLs, but not the standard acls (1 - 99)


Router(config)#access-list 101 permit tcp any any eq 23

Router(config)#access-list 101 permit tcp any any eq www

Router(config)#do sh access-list 101

Extended IP access list 101

    10 permit tcp any any eq telnet

    20 permit tcp any any eq www

Router(config)#ip access-list ext 101

Router(config-ext-nacl)#5 permit udp any any

Router(config-ext-nacl)#do sh access-list 101

Extended IP access list 101

    5 permit udp any any

    10 permit tcp any any eq telnet

    20 permit tcp any any eq www

Router(config-ext-nacl)#


*Edit*

I wonder if this converts the numbered acl to a named acl with a number as the name though?


John

Richard Burts Wed, 04/25/2012 - 08:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Yes it does treat the access list as a named access list (where the name is numeric).


Peter


This is an excellent explanation. +5


HTH


Rick

Peter Paluch Wed, 04/25/2012 - 16:23
User Badges:
  • Cisco Employee,

Rick,


I am honored. Thank you!


Best regards,

Peter

Jan Hrnko Wed, 04/25/2012 - 10:32
User Badges:
  • Silver, 250 points or more

Hi John,


Excuse my rudeness, but I think that you CAN edit standard ACLs (1-99) and I have just verified it on Cisco 2801 Router (C2801-ADVENTERPRISEK9-M), Version 12.4(25d)).


If I can kindly ask you why do think otherwise?


Thanks and have a nice day!


Best regards,

Jan

John Blakley Wed, 04/25/2012 - 10:43
User Badges:
  • Purple, 4500 points or more

Jan,


You're absolutely right. The older versions of IOS don't allow you to edit standard acls. The common practice was to copy everything into a text editor and make your changes, delete the existing acl and then paste in the changes. I just tried to edit a standard one and it can be edited. +5 for you!


R4(config)#access-list 20 permit host 192.168.50.5

R4(config)#access-list 20 permit host 192.168.50.6

R4(config)#do sh access-list 20

Standard IP access list 20

    20 permit 192.168.50.6

    10 permit 192.168.50.5

R4(config)#ip access-list stand

R4(config)#ip access-list standard 20

R4(config-std-nacl)#5 permit 192.168.50.100

R4(config-std-nacl)#do sh access-list 20

Standard IP access list 20

    5 permit 192.168.50.100

    20 permit 192.168.50.6

    10 permit 192.168.50.5


Thanks!

John

cisco.abhay Wed, 04/25/2012 - 22:09
User Badges:

Hi,


The only difference is --


In normal ACL - you can't edit. If you want to edit, if you remove any ACE, it'll remove comple ACL, but

In IP ACL -- you can edit ACE like if you can remove line no 10, add ACE at line no 5...

ray_stone Thu, 04/26/2012 - 00:30
User Badges:

John... In your post, basically we can not remove the number in nomal ACL but if we use the same access list by using the command IP ACL then it will treat that access list as a IP based access list and then only we can delete/add the numbers according to config.


Is it?


Thanks.

John Blakley Thu, 04/26/2012 - 03:54
User Badges:
  • Purple, 4500 points or more

Ray,


From my previous thoughts, I believed that you could only edit extended ACLs regardless if they were created with "ip access-list ext name" or "access-list 101". After testing, depending on IOS version, you can edit both normal acls and extended acls without deleting. Initially in the past, normal acls could not be edited and when you removed an entry it would remove the complete acl. Now you can edit both by using the "ip access-list" command.


Router(config)#access-list 10 permit host 192.168.1.2

Router(config)#access-list 10 permit host 192.168.1.3

Router(config)#do sh access-list 10

Standard IP access list 10

    20 permit 192.168.1.3

    10 permit 192.168.1.2

Router(config)#ip access-list stand 10

Router(config-std-nacl)#no 20

Router(config-std-nacl)#do sh access-list 10

Standard IP access list 10

    10 permit 192.168.1.2


See above I created a standard numbered access-list with hosts 192.168.1.2 and .3. Then I showed the acl. I edit the acl with "ip access-list standard 10" and delete no 20 and show the access-list again and only line 20 is gone.


The old way of doing it still stands though in where Peter mentioned that you can't edit the standard acl as a standard acl:


Router(config)#access-list 50 permit host 5.5.5.5

Router(config)#access-list 50 permit host 5.5.5.6

Router(config)#do sh access-list 50

Standard IP access list 50

    10 permit 5.5.5.5

    20 permit 5.5.5.6

Router(config)#no access-list 50 permit host 5.5.5.6

Router(config)#do sh access-list 50


Router(config)#


Above, I add access-list 50 and then show it with hosts 5.5.5.5 and .6. I then "edit" it by just removing host 5.5.5.6 without using "ip access-list standard 50". After showing the acl again, it's gone. So in order to edit the acl, you have to use the "ip access-list" command on the acl that you want regardless if it was created with access-list or access-list .


HTH,

John

ray_stone Thu, 04/26/2012 - 00:22
User Badges:

Peter... you are gr8 as you explained in very effective manner and it's really understandable now. Thanks for your time and explaination.

Peter Paluch Thu, 04/26/2012 - 01:24
User Badges:
  • Cisco Employee,

Hi Ray,


Thank you! In fact, everybody here is great and deserves his credit


Best regards,

Peter

glen.grant Thu, 07/19/2012 - 11:50
User Badges:
  • Purple, 4500 points or more

  Since about code version 12.2.T  you have been able to modify numbered as named ACL's .  You could remove or add entries but there were no sequence numbers before the entries so you could not  put them in a specific spot in the ACL . They remedied that in later code versions.

Rowandene1 Tue, 04/04/2017 - 06:41
User Badges:

:)


The way you wrote and explained this makes me think you should be an Author


Well Done


Thanks alot


Kev

Actions

This Discussion