Named ACLs Access Control Lists

Practice this topic in the router emulator As of IOS version 11.2, it is now possible to create named access lists rather than just numbered ones. This allows you to give an access list a descriptive name that will make your configuration easier to understand when you see it applied to an object or resources, such as an interface.

Named access control list syntax

Named access lists are configured differently to normal numbered lists. While numbered lists will use 'legacy' syntax, named access lists are configured from two different modes: standard named access list and extended named access list config mode. Once in these modes, you create permit and deny statements to build the access list.

Router(config)#ip access-list {standard|extended} <name>

Router(config-std-nacl)#{permit|deny} {host|source source-wildcard|any}
						or
Router(config-ext-nacl)#{permit|deny} <protocol> {source | any} {destination | any}

Source/Destination: <address> <wildcard> <port-operator> <port>

As you may have noticed, once you have entered the named access list config mode, the syntax for either standard or extended access lists is the same as the legacy syntax, less the access-list word and number. If you know how to configure standard and extended access lists, then you already know who to configure named access lists.

Other benefits

Another benefit of using named access configuration mode is that you can add new statements to the access list, and insert them wherever you like. With the legacy syntax, you must delete the entire access list before reapplying it using the updated rules.

This is achieved through the use of sequence numbers. When you create an access list, each statement to add is given a sequence number 10 above the last. You can see these sequence numbers when you use the privileged command show ip access-lists. An example is given below

Router(config)#ip access-list standard acl1
Router(config-std-nacl)#deny 192.168.0.0 0.0.0.255
Router(config-std-nacl)#permit any
Router(config-std-nacl)#exit
Router(config)#exit

Router#show ip access-lists
Standard IP access list acl1
	10 deny 192.168.0.0, wildcard bits 0.0.0.255
	20 permit any

As can be seen, a standard named access list called acl1 is created and two statements are added. When we view this access list we can see the numbers that prefix each statement: these are the sequence numbers in the access list.

Suppose we want to deny another network, 192.168.1.0/24, we would add it in the same way as we would add a new line, but prefix the statement with a sequence number between 10 and 20.

Router(config)#ip access-list standard acl1
Router(config-std-nacl)#15 deny 192.168.1.0 0.0.0.255
Router(config-std-nacl)#exit
Router(config)#exit

Router#show ip access-lists
Standard IP access list acl1
	10 deny 192.168.0.0, wildcard bits 0.0.0.255
	15 deny 192.168.1.0, wildcard bits 0.0.0.255
	20 permit any

Further reading

Comments