Options
access-list vs. ip access-list
fieldmonkey
Users Awaiting Email Confirmation Posts: 254 ■■■□□□□□□□
in CCNA & CCENT
So, I feel pretty good about access-list after reading most of chapter 6 while slowly cooking this information into my cerebral cortex the past few weeks, but I don't quite understand the differences in the two different commands.
If I have it correct I believe that the command ip access-list is just an extension of the original command access-list. The command ip access-list would be used when one would like to use the added / enhanced functions incorporated in IOS versions 11.2 or later, including Named ACL.
So I am uncertain what the big differences are when it comes to using the commands. If I use the access-list command vs. the ip access-list command would I not be capable of deleting one line at a time or sequence numbers etc..?
I look forward to your responses.
fieldmonkey
If I have it correct I believe that the command ip access-list is just an extension of the original command access-list. The command ip access-list would be used when one would like to use the added / enhanced functions incorporated in IOS versions 11.2 or later, including Named ACL.
So I am uncertain what the big differences are when it comes to using the commands. If I use the access-list command vs. the ip access-list command would I not be capable of deleting one line at a time or sequence numbers etc..?
I look forward to your responses.
fieldmonkey
WIP:
Husband & Fatherhood Caitlin Grace born 8-26-2010
Future Certs:
Q1-2011 - INCD2, Microsoft or Linux (decisions, decisions...)
Husband & Fatherhood Caitlin Grace born 8-26-2010
Future Certs:
Q1-2011 - INCD2, Microsoft or Linux (decisions, decisions...)
Comments
-
Options
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
fieldmonkey wrote: »So, I feel pretty good about access-list after reading most of chapter 6 while slowly cooking this information into my cerebral cortex the past few weeks, but I don't quite understand the differences in the two different commands.
If I have it correct I believe that the command ip access-list is just an extension of the original command access-list. The command ip access-list would be used when one would like to use the added / enhanced functions incorporated in IOS versions 11.2 or later, including Named ACL.
So I am uncertain what the big differences are when it comes to using the commands. If I use the access-list command vs. the ip access-list command would I not be capable of deleting one line at a time or sequence numbers etc..?
I look forward to your responses.
fieldmonkey
I think these are accurate enough statements. Named ACLS are the best and when you get into the many uses for ACLs, you will wonder why anyone would ever used normal ACLs. -
Options
mikej412
Member Posts: 10,086 ■■■■■■■■■■
On the newer IOS you can edit the "old fashioned" numbered and extended ip range access lists with the "new fangled" ip access-list command and renumber and re-sequence them there.
If you stick with just the "old fashioned" access-list command, you're limited to the "old ways" of doing things.:mike: Cisco Certifications -- Collect the Entire Set! -
Options
stlsmoore
Member Posts: 515 ■■■□□□□□□□
The beauty of using ip access-list is that you're able to edit one access-list statement at a time rather than having to copy the entire access-list in notepad or something and manually editing the entire list when you need to make a change. You can also add new statements later if you need to and place them where ever you want in the access-list.My Cisco Blog Adventure: http://shawnmoorecisco.blogspot.com/
Don't Forget to Add me on LinkedIn!
https://www.linkedin.com/in/shawnrmoore -
Optionslon21
Member Posts: 201
Hi,
I been trying to edit my access list using the cmd ip access list. But when I bring up the show commands I'm not able to see the seq numbers to edit the access list?
R1#show access-lists
Extended IP access list 100
deny tcp host 192.168.1.2 host 128.242.116.211 eq www
deny ip host 192.168.1.2 192.168.4.0 0.0.0.255
permit ip any any
Extended IP access list Deny_Host_A
permit ip host 192.168.1.2 host 4.2.2.2
permit tcp host 192.168.1.2 host 4.2.2.2
permit udp host 192.168.1.2 host 4.2.2.2
Extended IP access list INTERNET
permit tcp any any established
Standard IP access list NAT_ADD
deny 192.168.5.0 0.0.0.255
permit 192.168.0.0 0.0.255.255
R1#show ip access-lists
Extended IP access list 100
deny tcp host 192.168.1.2 host 128.242.116.211 eq www
deny ip host 192.168.1.2 192.168.4.0 0.0.0.255
permit ip any any
Extended IP access list Deny_Host_A
permit ip host 192.168.1.2 host 4.2.2.2
permit tcp host 192.168.1.2 host 4.2.2.2
permit udp host 192.168.1.2 host 4.2.2.2
Extended IP access list INTERNET
permit tcp any any established
Standard IP access list NAT_ADD
deny 192.168.5.0 0.0.0.255
permit 192.168.0.0 0.0.255.255 -
Optionslon21
Member Posts: 201
Is this real hardware, Dynamips or a software simulator?
Software simulator, Packet Tracer.
Does it make a difference?
Thanks -
Optionsmikej412
Member Posts: 10,086 ■■■■■■■■■■
Yeah -- if the programmers haven't programmed the feature into the simulator, it won't be there.Does it make a difference?
Try a different router (or switch) -- some features have been programmed but only added to one or two simulated devices and not others (like SSH).:mike: Cisco Certifications -- Collect the Entire Set! -
Optionsbrad-
Member Posts: 1,218
mine doesnt show the seq #'s either, just like he has there. 2620 running 12.2(2)...fwiw.
-
Optionsmikej412
Member Posts: 10,086 ■■■■■■■■■■
Real hardware or packet tracer?mine doesnt show the seq #'s either, just like he has there. 2620 running 12.2(2)...fwiw.
If it's real hardware you need an IOS that supports it -- something like a 12.2T (or was it a 12.2S?) or 12.3T or greater.
And if that is packer tracer simulating a 2620 with a 12.2(2) IOS version, than packet tracer is correct since the real hardware running that IOS version doesn't support the feature.:mike: Cisco Certifications -- Collect the Entire Set!
