ACLS

Started by weasleman, May 30, 2017, 05:49:53 PM

Previous topic - Next topic

weasleman

Question ACLS.

Now we have standard ACLS which deal with traffic from source destination
We also have extended that give you more granular control

Now i have come across named access lists that can be either standard or extended.

So my question is why do we have named access list and standard and extended. from reading the name access list do the same thing as standard or extended but with a named access list you can name it. But you can put a remark in a standard or extended.

So if i am right why have standard and extended? if named gives you more and does the same thing ?

Sorry tired maybe im missing something.

cheers


deanwebb

They're all different ways of looking at the same issue.

We used to have a standard ACL for accessing switches, but with an explosion of devices that had to talk to switches, we switched to an extended ACL so that we could comment it about what all the IP addresses in it were.

Then we made it a named ACL so that we would know what it was for.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

weasleman

SO really in the real world you would only use named acls ?

If so why do they mention Standard or extended ?

Seems CISCO are going over alot of lagacy stuff or am i wrong in saying that?




deanwebb

No, in the real world we use all three. Standard are the easiest to setup, but if we need something more robust in its features, we'll set up an extended or named ACL. All three are good to know about.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

IRL we use standard and extended because the syntax forces us to for certain features. e.g. if I want to target a specific route with a distance command - guess what, I can't use a prefix list.

Also, its much easier to write standard ACLs for routing specific functions as it gets confusing with extended, but that's only because some features syntax won't let us use prefix lists. Saner OSes like JUNOS will let you use the equivalent of a prefix list everywhere (a lot of NXOS is cleaned up in this regard as well but I don't think its 100% universal, unlike JUNOS where you never ever have to use anything except for a nice sane readable prefix list).

example: http://blog.ine.com/2008/01/04/using-extended-access-lists-in-a-distribute-list/
example: http://blog.ine.com/2008/01/08/using-extended-acls-for-bgp-filtering/

weasleman

I think i am tired as that doesnt make sense in my head.

Right i have a standard and extended ACL

then i have a named ACL  which can be a standard ACL or a extended ACL but it is named rather than a number.

or is there a syntax difference in Named standard or extended.

Im confusing myself  :smug:


Otanx

When saying the syntax forces us he means the syntax of the command I am using the ACL for, not the syntax of the ACL itself. As an example uRPF requires I use a numbered ACL on the command "ip verify unicast source reachable-via any allow-default 50" The 50 is a numbered ACL. If I do the same uRPF command for IPv6 I can use a named ACL "ipv6 verify unicast source reachable-via any allow-default URPF_ACL_V6"

There are a lot of examples similar to this where you have to reference a numbered ACL because the code behind the command has not been updated to recognize a named ACL.

-Otanx