Solved: Confusion in ACL's

pankaj kumar · ‎01-14-2014

Hi

i have some confusion on syntax of the ACL

1) we can configure standard acl as follows:-

R1(config)#acces-list 1 permit 10.1.1.1

OR

R1(config)#ip access-list standard 1

#permit 10.1.1.1

is there is any difference between these two method's or these method define a numbered standard acl

2) And we cannot edit a numbered ACL but we can edit a named ACL but consider following:-

R1(config)#access-list 10 permit 10.1.1.1

#access-list 10 deny 11.0.0.1

now if i use command given below i am able to edit the acl so why it is said that "we cannot edit a numbered acl"

R1(config)#ip access-list standard 1

#no 20

#20 permit 11.0.0.1

3) Is there is any difference between these command's

R1#show access-list

R1#show ip access-list

4) we can apply only one acl per interface per direction per protocol

so does it means that we can apply two acl for two protocol please give a example if we can apply two acl for two protocol

cadet alain · ‎01-14-2014

Hi,

A) you called it as a named ACL that name being the numbered ACL number so you can edit it accordingly

B)

B) So is it true that

if we use ip access-list then it always create named acl

if we use access-list then it will always create numbere acl

correct


But if we use
R2(config)#ip access-list standard ?
  <1-99>       Standard IP access-list number
  <1300-1999>  Standard IP access-list number (expanded range)
  WORD         Access-list name
it shows 
"1-99 standard ip access-list number"
 does it means that this will create numbered acl

No it will create a named ACL with a number as a name

C) can we say that these ACL are for different protocol as first one is for IP and second one is for TCP if not then why

access-list 100 permit ip host 10.1.1.1 host 10.1.1.2

access-list 101 permit tcp host 10.1.1.1 host 10.1.1.3 eq telnet

No, these are both IPv4 extended ACLs, one is matching on IP and the other one on TCP so you can't apply them on the same interface in the same direction, the second one you apply will replace the first one.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

John Blakley · ‎01-14-2014

You can edit a numbered acl in newer IOS versions now with the standard command as stated above:

Create the standard ACL:

R5(config)#access-list 10 permit 1.1.1.0 0.0.0.255

Edit the standard numbered ACL:

R5(config)#ip access-list standard 10

Add another line above the original:

R5(config-std-nacl)#5 permit 2.2.2.0 0.0.0.255

R5(config-std-nacl)#exit

Show the newly modified:

R5(config)#do sh access-list 10

Standard IP access list 10

5 permit 2.2.2.0, wildcard bits 0.0.0.255

10 permit 1.1.1.0, wildcard bits 0.0.0.255

As far as the differences, it's purely preference. Most engineers will use "access-list " for standard, and for named it's more along the lines of "ip access-list ext ".

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

cadet alain · ‎01-14-2014

Hi,

1) the first one is a numbered ACL and the second is a named ACL and the name is a number

2)you can edit it if you call it as a named ACL as you experimented

3) sh access-list will show all access-lists whereas sh ip access-list will only show IPv4 ACLs

4) yes you could configure a MAC ACL and an IPv4 ACL inbound on the same interface

Regards

Alain

Don't forget to rate helpful posts.

pankaj kumar · ‎01-14-2014

A) R1(config)#access-list 10 permit 10.1.1.1

#access-list 10 deny 11.0.0.1

The above line create's a standard numbered ACL

_

R1(config)#ip access-list standard 1 |

#no 20 |----->these line treats the numbered acl as named ACL

#20 permit 11.0.0.1 _| but how a numbered ACL can be treated a Name

B) So is it true that

if we use ip access-list then it always create named acl

if we use access-list then it will always create numbere acl

But if we use

R2(config)#ip access-list standard ?

<1-99> Standard IP access-list number

<1300-1999> Standard IP access-list number (expanded range)

WORD Access-list name

it shows

"1-99 standard ip access-list number"

does it means that this will create numbered acl

C) can we say that these ACL are for different protocol as first one is for IP and second one is for TCP if not then why

access-list 100 permit ip host 10.1.1.1 host 10.1.1.2

access-list 101 permit tcp host 10.1.1.1 host 10.1.1.3 eq telnet

cadet alain · ‎01-14-2014

Hi,

A) you called it as a named ACL that name being the numbered ACL number so you can edit it accordingly

B)

B) So is it true that

if we use ip access-list then it always create named acl

if we use access-list then it will always create numbere acl

correct


But if we use
R2(config)#ip access-list standard ?
  <1-99>       Standard IP access-list number
  <1300-1999>  Standard IP access-list number (expanded range)
  WORD         Access-list name
it shows 
"1-99 standard ip access-list number"
 does it means that this will create numbered acl

No it will create a named ACL with a number as a name

C) can we say that these ACL are for different protocol as first one is for IP and second one is for TCP if not then why

access-list 100 permit ip host 10.1.1.1 host 10.1.1.2

access-list 101 permit tcp host 10.1.1.1 host 10.1.1.3 eq telnet

No, these are both IPv4 extended ACLs, one is matching on IP and the other one on TCP so you can't apply them on the same interface in the same direction, the second one you apply will replace the first one.

Regards

Alain

Don't forget to rate helpful posts.