Re:Standard and Extended ACLs?

imran_mcse · ‎02-13-2005

I just want to know that if extended IP access lists can do all tasks, I mean extended access lists have a lot of controlling parameters, then why people use Standard Access lists instead of Extended access lists.

I just want to know that in which scenario we should use STD ACLs instead of EXTD ACLs, what special advantage of using STD over EXTD ACLs,

Please reply.

Georg Pauwen · ‎02-14-2005

Hello,

basically, extended access lists allow much more granular access than standard access lists. Let´s say you want host 192.168.12.1 to be able to access your network and use specific services (such as your web server), but you do not want that host to e.g. initiate FTP sessions. With a standard access list, you can either allow or deny that host, but with an extended access list, you can achieve the above, since the extended ACL allows you to specify specific ports. This is just one example, you might want to check the documents below for more:

Configuring Commonly Used IP ACLs

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

Configuring IP Access Lists

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

HTH,

GP

imran_mcse · ‎02-14-2005

thanx sir for your kind reply.

Yeah Sir i know all this, but my question is this that if EXTD ACLs provide much and much control then why cisco still have support of STD ACLs in his IOS, why he dont eliminate the STD ACLs from its IOS.

Kevin Dorrell · ‎02-14-2005

Mostly you can use extended access lists throughout. You can do the same job with an extended list that you can with a standard one, but putting "any" for the extension part.

However, there are a few commands that do not accept extended lists because an extended list would simply not make any sense. Here, you have to use a standard list. Examples that come to mind are snmp-server community and ntp access-group, but I am sure there are others.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_r/ffrprt3/frf014.htm#wp1022436

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_r/ffrprt3/frf012.htm#wp1018459

Kevin Dorrell

Luxembourg

Richard Burts · ‎02-14-2005

I believe the major use of standard access lists is in the function of distribute lists. A distribute list controls routes to be advertised and most of the time will use a standard access list. It is possible to use an extended access list in a distribute list but it is very complex and what the second addess and mask represent in the distribute list is not easy to figure out.

Also the access-class command which is used to control access to the vty ports will almost always use a standard access list. I have experimented with doing access-class with an extended access list and did eventually get it to work. But it is much easier and more obvious to use standard access list with access-class.

HTH

Rick

HTH

Rick

s.masters · ‎09-14-2012

You can debug ip packet in standard ACL but I do not know of a way to debug Named ACL

zheng.olivier · ‎09-15-2012

a standard ACL is a named ACL which is named by a number.

Richard Burts · ‎09-16-2012

This response is not correct. Whether an access list is named or numbered has nothing to do with whether it is standard or extended. A named access list could be either standard or extended. And in numbered access list,for example, access lists 1 through 99 are standard while 100 through 199 are extended.

What distinguishes standard and extended access list is that standard access list contains a single address and a single mask while an extended access list contains two addresses and two masks and may optionally specify protocol parameters.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

zheng.olivier · ‎09-16-2012

Hi Rick,

I wasn't looking for answering the question, most people before me answer to the question.

I wanted to show that a standard ACK is just a particular named ACL. ("You can debug ip packet in standard ACL but I do not know of a way to debug Named ACL") if you can debug with a standard ACL, then you're actually debugging with a named ACL.

nkarthikeyan · ‎09-16-2012

Hi Imran,

Let me share my thoughts on this.

Standard ACL -- It can be specified only based on the source address/subnet

It can have only the specific protocol id's (ip/tcp/udp/icmp) but not the specific ports like 80,443,22.

Extended ACL -- It can be more specific and many filterations can be achieved thru this as others stated. like protocol id's, source, destination, ports etc.

Standard ACL's can be used when you do not need any filterations based on the destination or specific ports. eg: When you have unrestricted and restricted zone in your network. You can have the unrestricted zone to be premitted to access outside. But you don want the restricted zone to talk to outside work. In that case you do not need an extended ACL. You can permit the unrestricted zone permit & deny with standard ACL's.

Please do rate if the given information helps.

By

Karthik

raadalhafnawi · ‎11-15-2012

A standard ACL can permit or deny traffic based on the source address
An extended ACL can permit or deny traffic based on both the source and destination address...
Standard near the destination, Extended near the source.

Joseph W. Doherty · ‎11-15-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

To summarize what the other posters have already noted, the two principle reasons why one might use a standard ACL (which could also be functionally accomplished) by an extended ACL are 1) some commands that rely on ACLs might still only support standard ACLs (more likely in older IOS versions) and 2) a standard ACL might be just a little clearer to understand.

Another (hopefully needless) reason why you might want to use a standard ACL, when an extended ACL would do, could be the device's processing performance might be better with a standard ACL.

Logically the standard ACL ACE:

access-list 10 permit host 1.1.1.1

should be the same as this extended ACL ACE:

permit ip host 1.1.1.1 any

But a "dumb" implementation of processing the extended ACL might wildcard compare the destination IP and other optional parameters while the standard ACL only examines the source IP. Should this happen? No, but such might happen because of different generations of code and/or different teams working on ACL processing.

BTW, if there is a significant performance difference, it's just as possible extended works better.

Again, this is very extreme and unlikely, but this could be a reason to use one form of ACL vs. the other when both can provide the same filtering. (Also, if this is "discovered", it's very likely to be very device and IOS version specific. Personally I would consider taking "advantage" of such a discovery poor practice, except in extreme situations.)