Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-group vs. Access-class

If I apply the acl below. What is the difference between an access-class 13 and access-group 13? Thanks in advance.

access-list 13 permit 10.8.4.199

access-list 13 permit 10.8.4.200

access-list 13 permit 10.8.4.201

access-list 13 permit 10.8.4.202

access-list 13 deny any

!

line vty 0 4

exec-time 15 0

password cisco

login

access-class 105 in

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Access-group vs. Access-class

Hi

Access-group applies an ACL to an interface and the access-class applies the ACL to your vty access in this case.

Hall of Fame Super Silver

Re: Access-group vs. Access-class

David

access-group is assigned on an interface and will filter data packets as they enter the interface or as they leave the interface (depending on whether the access-group is applied inbound or outbound). access-class is applied to line vty and controls who is able to remote access to the router or control who to remote access to from the router (depending on whether the access-class is applied inbound (the most common) or is applied outbound).

So if you took the access list 13 from your example and applied it as access-group in on an interface it would allow any ip packet with source address 10.8.4.199, 10.8.4.200, 10.8.4.201, or 10.8.4.202. And if you applied that same access list as access-class in on the vty then it would permite remote access (telnet or SSH) from only those 4 addresses.

HTH

Rick

2 REPLIES

Re: Access-group vs. Access-class

Hi

Access-group applies an ACL to an interface and the access-class applies the ACL to your vty access in this case.

Hall of Fame Super Silver

Re: Access-group vs. Access-class

David

access-group is assigned on an interface and will filter data packets as they enter the interface or as they leave the interface (depending on whether the access-group is applied inbound or outbound). access-class is applied to line vty and controls who is able to remote access to the router or control who to remote access to from the router (depending on whether the access-class is applied inbound (the most common) or is applied outbound).

So if you took the access list 13 from your example and applied it as access-group in on an interface it would allow any ip packet with source address 10.8.4.199, 10.8.4.200, 10.8.4.201, or 10.8.4.202. And if you applied that same access list as access-class in on the vty then it would permite remote access (telnet or SSH) from only those 4 addresses.

HTH

Rick

11256
Views
0
Helpful
2
Replies