access-group or access-class 1

[iolair]

Okay, I'm a complete idiot. What is the difference, or maybe I should say, when do you use access-group vs. access-class? Is it dependent on in vs. out? IP vs. IPX? Standard list vs. Extended list? I'm having lots of trouble determining this from my documentation. I'm sure the answer is simple, but I just can't seem to get it. Thanks.

Iolair MacWalter
Director of IT

 

[Cluebird]

access-group applies access-lists to interfaces for filtering traffic through the router (think users and data since users are managed in groups on the servers). access-class applies access-lists to lines for filtering traffic to the router itself (think management of the device since admins have enough class to manage the device). If not specified, access-groups and access-classes do outbound inspection by default. Most admins like to inspect traffic inbound. Either groups or classes can be applied inbound or outbound.

Doesn't matter whether you're doing IP or IPX...the numbers of the access-lists control the routed protocol or L2 functionality of the statements.

HTH

 

[iolair]

Ah, now I'm getting it. Thanks.

Iolair MacWalter
Director of IT

 

[burtsbees]

A good example is that one would apply an acl to an interface using access-group...
router(config)#access-list 101 deny tcp any 192.168.1.48 0.0.0.15 eq http
router(config)#access-list 101 permit ip any any
router(config)#int fa0/1
router(config)#ip access-group 101 in
When applying an acl to a virtual line, like for telnet, one would apply it using access-class
router(config)#access-list 10 deny host 10.10.15.3
router(config)#access-list 10 permit any
router(config)#line vty 0 4
router(config-line)#access-class 10 in
The second example would simply deny telnet access to the router from host 10.10.15.3, but allow everyone else. Note that when applying access-class, there is no "ip" keyword that preceeds it. Hope this helps.

Burt