It is much easier to remember names than numbers. It is also easier to manage named ACL’s because you have the ability to sequence line items in the ACL. This lab will discuss and demonstrate named Access Control Lists (ACL’s)
Numbered Access List have a major downfall which is the ability to edit specific lines in the access-list. Unfortunately the only way to do that is to edit the lines in a text editor and completely remove and re-add the ACL. Numbered access-list still can be found in networks all around the world but engineers are now commonly using named access-list to ensure the ability to edit the acl on the fly with minimal time required. Named ACL’s also have a big advantage of being descriptive in the name such as an ACL named “VTY_ACCESS”, its quite obvious that that ACL would be for vty line access control.
Named access-list’s are much like numbered access-list but with names and the addition of line numbers. Now you can specify what line you wish to place an ACE in the ACL. For example you have an ACL with lines 5, 10, 15, 20, 25, 30 and you need to stick an entry between line 15 and 20, now you have that ability without having to remove the entire access-list. The new ACE statement will follow a specific line number when in named access-list configuration mode.
Step 1. The first objective states to create a standard named access-list and permit only the network 10.1.1.0/24 and to configure an ace on line 500 that denies and logs all denied traffic. The syntax used to completely this objective is; ip access-list standard ACLNAME as shown below.
R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip access-list standard INSIDE_IN R1(config-std-nacl)#
When in named access-list configuration mode, its common to start each ACE with a specific line number. If no line number is specified, the ACE is placed at the bottom of the ACL. It’s common to increment ACL line numbers by 5 or 10. To completely the first Lab objective, configure line 10 to permit 10.1.1.0/24 and explicitly deny all other traffic on line 500 with logging enabled.
R1(config-std-nacl)#10 permit 10.1.1.0 0.0.0.255 R1(config-std-nacl)#500 deny any log
Now in order to apply this named access-list to an interface you must navigate to the correct interface and execute the ip access-group command followed by the ACL name and direction as shown below;
R1(config-std-nacl)#exit R1(config)#int f0/1 R1(config-if)#ip access-group INSIDE_IN in
You can verify your access-list configuration by executing the show access-list command;
R1(config-if)#do show access-list
Standard IP access list INSIDE_IN
10 permit 10.1.1.0, wildcard bits 0.0.0.255
500 deny any log
R1(config-if)#
As you can see you have plenty of space between line10 and the explicit deny statement on line 500 to inject more access control list entries at a later time.
Step 2. – Configure an extended named access-list called OUTSIDE_IN and deny host 71.23.44.50 and host 204.221.190.5 eq www, permit all other traffic. Apply this access-list inbound on interface Fa0/0;
R1(config-if)#exit R1(config)#ip access-list extended OUTSIDE_IN R1(config-ext-nacl)#10 deny ip host 71.23.44.50 any R1(config-ext-nacl)#20 deny tcp host 204.221.190.5 any eq www R1(config-ext-nacl)#500 permit ip any any
Now assign the newly created extended named access-list inbound on R1’s FastEthernet0/0 interface as shown below;
R1(config-ext-nacl)#exit R1(config)#int f0/0 R1(config-if)#ip access-group OUTSIDE_IN in
To verify your access-list configuration execute the show access-list OUTSIDE_IN command from privileged mode or by using the do command within a configuration mode as shown below;
R1(config-ext-nacl)#do sh access-list OUTSIDE_IN
Extended IP access list OUTSIDE_IN
10 deny ip host 71.23.44.50 any
20 deny tcp host 204.221.190.5 any eq www
500 permit ip any any
R1(config-ext-nacl)#