access-list vs ip access-list

The access-list command is used to define a numbered ACL, meaning that the ACL will be identified in the configuration by its number. This number also designates the type of this ACL, i.e. standard IP, extended IP, MAC, etc. See here:

Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list

Following this help output, if you want to define a standard IP ACL, it has to be identified by a number in the range 1-99 or 1300-1999. Analogously, if you want to define an extended IP ACL, it must be numbered from the range 100-199 or 2000-2699. MAC ACLs would use the range 700-799 for standard ACL and 1100-1199 for extended ACL.

The ip access-list command defines a named IPv4 ACL, either standard or extended. A named IP ACL is totally equivalent to a numbered IP ACL in its behavior - the only difference is in the way it is configured and referenced in the configuration. Also, using the ip access-list command, you can not define different types of ACLs like MAC ACLs. Otherwise, a named and a numbered ACLs behave identically.

For example, these two ACLs would provide identical results:

access-list 1 deny host 192.0.2.4
access-list 1 deny 192.0.2.128 0.0.0.127
access-list 1 permit any

ip access-list standard MyACL1
deny host 192.0.2.4
deny 192.0.2.128 0.0.0.127
permit any

Also, these two ACLs would provide identical results:

access-list 100 permit tcp any any eq 80
access-list 100 permit tcp any any eq 443
access-list 100 permit udp any host 192.0.2.1 eq 53

ip access-list extended MyACL2
permit tcp any any eq 80
permit tcp any any eq 443
permit udp any host 192.0.2.1 eq 53

Apart from the obvious advantage of giving ACLs meaningful names instead of just numbers, the named ACLs have another advantage: they can actually be edited. Numbered ACLs cannot really be edited - you can only add new entries to their end but if you need to remove or replace an entry, you need to remove the entire ACL and enter it anew. With named ACLs, it is actually possible to perform in-place editing.

Let’s take the last named ACL I’ve posted. If you perform show ip access-lists you will get the following output:

Router#show ip access-lists
Extended IP access list MyACL2
10 permit tcp any any eq www
20 permit tcp any any eq 443
30 permit udp any host 192.0.2.1 eq domain

Note the numbers 10,20,30 at the each line. They allow you to remove that particular line or insert a new line between them. For example, if I wanted to insert a new rule between the first and second entry, it would be done as follows:

ip access-list extended MyACL2
15 permit tcp any any eq 110

Now the show ip access-lists would say:

Extended IP access list MyACL2
10 permit tcp any any eq www
15 permit tcp any any eq pop3
20 permit tcp any any eq 443
30 permit udp any host 192.0.2.1 eq domain

I could use any number between 11 and 19, inclusive.

Now, if I wanted to remove the line 30 (the one permitting the DNS access), the command would be:

ip access-list extended MyACL2
no 30

The show ip access-lists would now produce:

Extended IP access list MyACL2
10 permit tcp any any eq www
15 permit tcp any any eq pop3
20 permit tcp any any eq 443

These numbers are not really stored in the configuration - they are only runtime-remembered. If you restart the router, they will be reset again to 10,20,30,etc. In case you need to resequence the ACL without restarting the router, you can use the command ip access-list resequence MyACL2 10 10 where the first “10” number specifies the starting number of the ACL entry, and the second “10” represents the increment. After entering this command in the global configuration mode, the show ip access-lists again shows:

Extended IP access list MyACL2
10 permit tcp any any eq www
20 permit tcp any any eq pop3
30 permit tcp any any eq 443

So to wrap it up, numbered ACLs and named ACLs defined using the ip access-list command have the same effect. However, the named ACLs are more flexible in the way they are defined, managed and referenced.