Configuring Named ACL’s

Real World Application

Numbered Access List have a major downfall which is the ability to edit specific lines in the access-list. Unfortunately the only way to do that is to edit the lines in a text editor and completely remove and re-add the ACL. Numbered access-list still can be found in networks all around the world but engineers are now commonly using named access-list to ensure the ability to edit the acl on the fly with minimal time required. Named ACL’s also have a big advantage of being descriptive in the name such as an ACL named “VTY_ACCESS”, its quite obvious that that ACL would be for vty line access control.

Lab Prerequisites

Lab Objectives

Lab Instruction

Named access-list’s are much like numbered access-list but with names and the addition of line numbers. Now you can specify what line you wish to place an ACE in the ACL. For example you have an ACL with lines 5, 10, 15, 20, 25, 30 and you need to stick an entry between line 15 and 20, now you have that ability without having to remove the entire access-list. The new ACE statement will follow a specific line number when in named access-list configuration mode.

Step 1. The first objective states to create a standard named access-list and permit only the network 10.1.1.0/24 and to configure an ace on line 500 that denies and logs all denied traffic. The syntax used to completely this objective is; ip access-list standard ACLNAME as shown below.

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#ip access-list standard INSIDE_IN
R1(config-std-nacl)#

When in named access-list configuration mode, its common to start each ACE with a specific line number. If no line number is specified, the ACE is placed at the bottom of the ACL. It’s common to increment ACL line numbers by 5 or 10. To completely the first Lab objective, configure line 10 to permit 10.1.1.0/24 and explicitly deny all other traffic on line 500 with logging enabled.

R1(config-std-nacl)#10 permit 10.1.1.0 0.0.0.255
R1(config-std-nacl)#500 deny any log

Now in order to apply this named access-list to an interface you must navigate to the correct interface and execute the ip access-group command followed by the ACL name and direction as shown below;

R1(config-std-nacl)#exit
R1(config)#int f0/1
R1(config-if)#ip access-group INSIDE_IN in

You can verify your access-list configuration by executing the show access-list command;

R1(config-if)#do show access-list
Standard IP access list INSIDE_IN
    10 permit 10.1.1.0, wildcard bits 0.0.0.255
    500 deny   any log
R1(config-if)#

As you can see you have plenty of space between line10 and the explicit deny statement on line 500 to inject more access control list entries at a later time.

Step 2. – Configure an extended named access-list called OUTSIDE_IN and deny host 71.23.44.50 and host 204.221.190.5 eq www, permit all other traffic. Apply this access-list inbound on interface Fa0/0;

R1(config-if)#exit
R1(config)#ip access-list extended OUTSIDE_IN
R1(config-ext-nacl)#10 deny ip host 71.23.44.50 any
R1(config-ext-nacl)#20 deny tcp host 204.221.190.5 any eq www
R1(config-ext-nacl)#500 permit ip any any

Now assign the newly created extended named access-list inbound on R1’s FastEthernet0/0 interface as shown below;

R1(config-ext-nacl)#exit
R1(config)#int f0/0
R1(config-if)#ip access-group OUTSIDE_IN in

To verify your access-list configuration execute the show access-list OUTSIDE_IN command from privileged mode or by using the do command within a configuration mode as shown below;

R1(config-ext-nacl)#do sh access-list OUTSIDE_IN
Extended IP access list OUTSIDE_IN
    10 deny ip host 71.23.44.50 any
    20 deny tcp host 204.221.190.5 any eq www
    500 permit ip any any
R1(config-ext-nacl)#