CCNA :: Part 9 - IP Access Lists - Named Acess List

Named IP Access Lists 

Named ACLs can be used to match the same packets, with the same parameters, you can match with standard and extended IP ACLs. Named IP ACLs do have some differences, however, some of which make them easier to work with. The most obvious difference is that IOS identifies named ACLs using names you make up, as opposed to numbers—and you have a better chance of remembering names. Named ACLs also have another key feature that numbered ACLs do not: You can delete individual lines in a named IP access list. With numbered ACLs, if you enter no access-list 101 and then enter the rest of the command, you don’t just delete that single line—you delete the whole list! With named ACLs, you can enter a command that removes individual lines in an ACL. Other than that, the only differences are the changes in the configuration syntax.

The configuration syntax is very similar between named and numbered IP access lists. The items that can be matched with a numbered standard IP access list are identical to the items that can be matched with a named standard IP access list. Likewise, the items are identical with both numbered and named extended IP access lists.

Two important configuration differences exist between numbered and named access lists. One key difference is that named access lists use a global command that places the user in a named IP access list submode, under which the matching and permit/deny logic is configured. The other key difference is that when a named matching statement is deleted, only that one statement is deleted. With numbered lists, the deletion of any statement in the list deletes all the statements in the list.

The following example shows how to use a named IP ACLs. It shows the changing command prompt in configuration mode, showing that the user has been placed in ACL configuration mode. It also lists the pertinent parts of the output of a show running-configuration command. It ends with an example of how you can delete individual lines in a named ACL.

CT(config)#
CT(config)#ip access-list extended ACL
CT(config-ext-nacl)#deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
CT(config-ext-nacl)#deny tcp host 172.16.2.10 host 172.16.1.100 eq www
CT(config-ext-nacl)#permit ip any any
CT(config-ext-nacl)#exi
CT(config)#
...
CT(config)#sh run
...
!
interface Serial1/0
ip address 172.16.12.1 255.255.255.0
ip access-group ACL in
serial restart-delay 0
!
interface Serial1/1
ip address 172.16.13.1 255.255.255.0
ip access-group ACL in
serial restart-delay 0
!
...
!
ip access-list extended ACL
deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
deny tcp host 172.16.2.10 host 172.16.1.100 eq www
permit ip any any
!