Cisco ACL question

[Spev]

Just wondering for standard and extended access lists is there any reasoning to pick a specific number for an ACL besides falling into the standard & extended categories? On standard you could use 1-99 for example & they should all work but just to be clear there's no reasoning for picking any specific number in that range, it's just whatever number you want to use & doesn't matter?

[BiggHertz]

No, numbering doesn't really matter. They're simply unique identifiers. Named ACLs are more descriptive =) 

 

-Jason

[Wombo]

Just wondering for standard and extended access lists is there any reasoning to pick a specific number for an ACL besides falling into the standard & extended categories? On standard you could use 1-99 for example & they should all work but just to be clear there's no reasoning for picking any specific number in that range, it's just whatever number you want to use & doesn't matter?

Yes numbering does matter!.. somewhat.

 

When creating an access list the prompts given to you and eventually how the device processes the list will vary depending on if the number is in the standard or extended range. Essentially the device infers the type of access list based on the number it is configured with (standard or extended), beyond that however there is no difference whatsoever.

 

Here is just a quick run-down of the ranges, functions, and common placement of ACL's (for access control).

 

Standard (Matches Layer 3 Only)         Extended (Matches Layer 3 and/or 4)

Match Source IP only                              Match Source and Destination and/or specific protocol and port

#1-99, 1300-1999                                     #100-199, 2000-2699

Placed close to destination                    Placed close to source

[BiggHertz]

Yes numbering does matter!.. somewhat.

 

When creating an access list the prompts given to you and eventually how the device processes the list will vary depending on if the number is in the standard or extended range. Essentially the device infers the type of access list based on the number it is configured with (standard or extended), beyond that however there is no difference whatsoever.

 

Here is just a quick run-down of the ranges, functions, and common placement of ACL's (for access control).

 

Standard (Matches Layer 3 Only)         Extended (Matches Layer 3 and/or 4)

Match Source IP only                              Match Source and Destination and/or specific protocol and port

#1-99, 1300-1999                                     #100-199, 2000-2699

Placed close to destination                    Placed close to source

From the context of the conversation, it sounded like he was referring to picking an ID within the given ranges of the desired ACL.

 

Meaning if he wanted to create a standard ACL, he has the choices of 1-99 or 1300-1999, he wanted to know if there was any rhyme or reason to selecting a number within that standard range(s).

 

-Jason

[SOUTHwarrior]

1-99 are standard acl's. 100-199 are extended.

Please for the love of God do not use numbered ACL's.

Named are alot easier to manage as well as being able to insert lines in between statements incase you need to modify them in the future. General rule of thumb I go by is set increment the statements by 5. This way if you need to permit something almost identical but with different IP's you can do that and have similar statements in the same general area so its not a nightmare trying to find out which part of the ACL is doing what.

 

With the numbered ones you need to remove the ACL completely if you wish to change one line.

 

Oh dont forget to remove it from the interface before you modify any ACL. You can get locked out very easily if you do not.

[BiggHertz]

1-99 are standard acl's. 100-199 are extended.

Please for the love of God do not use numbered ACL's.

Named are alot easier to manage as well as being able to insert lines in between statements incase you need to modify them in the future. General rule of thumb I go by is set increment the statements by 5. This way if you need to permit something almost identical but with different IP's you can do that and have similar statements in the same general area so its not a nightmare trying to find out which part of the ACL is doing what.

 

With the numbered ones you need to remove the ACL completely if you wish to change one line.

 

Oh dont forget to remove it from the interface before you modify any ACL. You can get locked out very easily if you do not.

+1 for NACLs > ACLs

[Wombo]

1-99 are standard acl's. 100-199 are extended.

Please for the love of God do not use numbered ACL's.

Named are alot easier to manage as well as being able to insert lines in between statements incase you need to modify them in the future. General rule of thumb I go by is set increment the statements by 5. This way if you need to permit something almost identical but with different IP's you can do that and have similar statements in the same general area so its not a nightmare trying to find out which part of the ACL is doing what.

 

With the numbered ones you need to remove the ACL completely if you wish to change one line.

 

Oh dont forget to remove it from the interface before you modify any ACL. You can get locked out very easily if you do not.

While I agree named lists are far superior to numbered lists some of this information is inaccurate. You can still change a numbered access list (on cisco devices) by entering the ip access list command and within this you can insert, edit, remove or even re-number lines. Also by default access lists (again on cisco gear, where most people start) automatically increment by 10, this is the same for every type of list and/or map in the IOS. When re-numbering the sequences in the list the default is also 10 if no other number is specified.

[Spev]

1-99 are standard acl's. 100-199 are extended.

Please for the love of God do not use numbered ACL's.

Named are alot easier to manage as well as being able to insert lines in between statements incase you need to modify them in the future. General rule of thumb I go by is set increment the statements by 5. This way if you need to permit something almost identical but with different IP's you can do that and have similar statements in the same general area so its not a nightmare trying to find out which part of the ACL is doing what.

 

With the numbered ones you need to remove the ACL completely if you wish to change one line.

 

Oh dont forget to remove it from the interface before you modify any ACL. You can get locked out very easily if you do not.

Yeah. I'm studying for CCNA. I am force to use numbered ACLs for some of the simulations. I agree NACLs are much better.

[Spev]

Yes numbering does matter!.. somewhat.

 

When creating an access list the prompts given to you and eventually how the device processes the list will vary depending on if the number is in the standard or extended range. Essentially the device infers the type of access list based on the number it is configured with (standard or extended), beyond that however there is no difference whatsoever.

 

Here is just a quick run-down of the ranges, functions, and common placement of ACL's (for access control).

 

Standard (Matches Layer 3 Only)         Extended (Matches Layer 3 and/or 4)

Match Source IP only                              Match Source and Destination and/or specific protocol and port

#1-99, 1300-1999                                     #100-199, 2000-2699

Placed close to destination                    Placed close to source

That is accurate & helpful information but I already did know that. I was simply asking if there was any logic in selecting a number in a standard 1-99 ACL. Doesn't really matter I guess just any number in the range.

[SOUTHwarrior]

Yeah. I'm studying for CCNA. I am force to use numbered ACLs for some of the simulations. I agree NACLs are much better.

Good luck. They definitely made it a bit more difficult with the new revamps. Working on my CCNP now, switch completed, Route and troubleshoot still left to take.

 

While I agree named lists are far superior to numbered lists some of this information is inaccurate. You can still change a numbered access list (on cisco devices) by entering the ip access list command and within this you can insert, edit, remove or even re-number lines. Also by default access lists (again on cisco gear, where most people start) automatically increment by 10, this is the same for every type of list and/or map in the IOS. When re-numbering the sequences in the list the default is also 10 if no other number is specified.

You are right on that, My mistake. When I first got into cisco I was always told that was the case with standard ACL's, after that never bothered to mess with them besides redistributing static routes back into a dynamic protocol so never had the need to modify the sequence order, so I didnt bother with them ever again just went straight to extended and never looked back.