Named Access Lists

Named Access Lists

Since Cisco IOS Release 11.2, you can use a text name for access lists in many cases. Some new features have been added to named ACLs that make them more than just text names. The benefits of using named access lists are the following:

• The name can be meaningful and indicative of the list’s purpose. This is particularly important for documentation and maintenance purposes. This can also benefit anyone having to support the ACLs later.

• You can selectively delete specific lines within a named access list, something that can’t be done with numbered lists.

• This gets around the limitation on the quantity of numbered ACLs, although this is less of an issue than before the additional numbers added with v12.1.

Some things to consider before you create a named access list for a particular purpose should include the following items:

• Named access lists are incompatible with older IOS releases (pre-11.2).

• A standard access list and an extended access list can’t have the same name. This rule means no two access lists can have the same name—not an unusual requirement.

• Names must begin with an alphanumeric character and are case-sensitive. Within the name, almost any character can be included.

• Not all processes that use access lists can use named ACLs.

Named access lists have a different format from numbered access lists. The initial line establishes the type and name of the list. The access-list statement is followed by one or more permit or deny statements. The syntax for a named standard access list is

Router(config)#ip access-list standard name
Router(config-std-nacl)# {permit | deny} {source [source-wildcard] | any} [log]

The following is an example of a named standard access list:

 Rtr1(config)#ip access-list standard sales_access
Rtr1(config-std-nacl)#permit 192.168.3.0 0.0.0.255
Rtr1(config-std-nacl)#permit 192.168.4.0 0.0.0.255
Rtr1(config-std-nacl)#permit 192.168.5.0 0.0.0.255
Rtr1(config-std-nacl)#permit host 192.168.6.50
Rtr1(config-std-nacl)#interface serial 0
Rtr1(config-if)#ip access-group sales_access out

Notice the prompt identifies the ACL as standard (std) and named access list (nacl). This means a new Configuration mode was created for named ACLs because numbered lists are all created at the Global Configuration mode.

The following is what the previous access list looks like in the running configuration. Notice the change in the order and the removal of the wildcards:

 !
ip access-list standard Sales_access
 permit 192.168.6.50
 permit 192.168.3.0
 permit 192.168.4.0
 permit 192.168.5.0
!

The syntax for a named extended access list is

Router(config)#ip access-list extended name
Router(config-ext-nacl)# {permit | deny} {protocol | protocol-keyword}{source wildcard |
any} [operator source-port] {destination wildcard | any} [operator destination-port]
[precedence precedence] [tos tos] [log | log-input] [options]

The following is an example of a named extended access list to limit TCP and Web access within the network:

 Rtr1#configure terminal
Rtr1(config)#ip access-list extended server-screen
Rtr1(config-ext-nacl)#permit tcp any host 192.168.2.20 eq 80
Rtr1(config-ext-nacl)#permit tcp host 192.168.1.151 host 192.168.2.20
Rtr1(config-ext-nacl)#int s1
Rtr1(config-if)#ip access-group server-screen out

The following is what the previous access list looks like if you show the running configuration. Note, the TCP port 80 was replaced with the mnemonic www:

 !
ip access-list extended server-screen
 permit tcp any host 192.168.2.20 eq www
 permit tcp host 192.168.1.151 host 192.168.2.20
!