Solved: Access-group vs. Access-class

davidhuynh5 · ‎02-25-2009

If I apply the acl below. What is the difference between an access-class 13 and access-group 13? Thanks in advance.

access-list 13 permit 10.8.4.199

access-list 13 permit 10.8.4.200

access-list 13 permit 10.8.4.201

access-list 13 permit 10.8.4.202

access-list 13 deny any

!

line vty 0 4

exec-time 15 0

password cisco

login

access-class 105 in

adamclarkuk_2 · ‎02-25-2009

Hi

Access-group applies an ACL to an interface and the access-class applies the ACL to your vty access in this case.

View solution in original post

Richard Burts · ‎02-25-2009

David

access-group is assigned on an interface and will filter data packets as they enter the interface or as they leave the interface (depending on whether the access-group is applied inbound or outbound). access-class is applied to line vty and controls who is able to remote access to the router or control who to remote access to from the router (depending on whether the access-class is applied inbound (the most common) or is applied outbound).

So if you took the access list 13 from your example and applied it as access-group in on an interface it would allow any ip packet with source address 10.8.4.199, 10.8.4.200, 10.8.4.201, or 10.8.4.202. And if you applied that same access list as access-class in on the vty then it would permite remote access (telnet or SSH) from only those 4 addresses.

HTH

Rick

HTH

Rick

View solution in original post

adamclarkuk_2 · ‎02-25-2009

Hi

Access-group applies an ACL to an interface and the access-class applies the ACL to your vty access in this case.

Richard Burts · ‎02-25-2009

David

access-group is assigned on an interface and will filter data packets as they enter the interface or as they leave the interface (depending on whether the access-group is applied inbound or outbound). access-class is applied to line vty and controls who is able to remote access to the router or control who to remote access to from the router (depending on whether the access-class is applied inbound (the most common) or is applied outbound).

So if you took the access list 13 from your example and applied it as access-group in on an interface it would allow any ip packet with source address 10.8.4.199, 10.8.4.200, 10.8.4.201, or 10.8.4.202. And if you applied that same access list as access-class in on the vty then it would permite remote access (telnet or SSH) from only those 4 addresses.

HTH

Rick

HTH

Rick

Daan · ‎02-04-2019

JoshC64 · ‎01-26-2024

Are there any specific reasons for the syntax as to why access-class is used for VTY and access-group for interface?

Joseph W. Doherty · ‎01-26-2024

As a guess (and having been a software developer for a couple of decades), it might be just as simple that they considered using an ACL so "different" on an interface vs. a VTY, syntax should also be different.

Of course, you could make the counter argument that functionally it's pretty much the same, so it should have the same syntax.

Somethings, though, such decisions are based on the same logic an choosing a favorite color, i.e. no logic, just one choice appeals more to you than the other.

JoshC64 · ‎01-26-2024

Thank you for the reply, I appreciate that. What kind of software
development do you do?