10.1 Access Lists
10.1.2 Named access list syntax
In addition to numbered access lists, the Cisco IOS enables you to create IP access lists by name. Named access lists enable you to configure more IP access lists in a router than if you were to use numbered access lists. Another advantage of named lists is that you can use no permit and no deny commands to remove individual entries from the list. Currently, only packet and route filters can use named lists.

You should consider the following before configuring named access lists:

  • Named access lists are not compatible with older releases of IOS software.
  • Not all access lists that accept a number will accept a name. Currently, only access lists for packet filters and route filters on interfaces can use a name.
  • A standard access list and an extended access list cannot have the same name.

If you identify an access list with a name, the mode and command syntax are slightly different from those used with a numbered list. To configure a standard named list, follow these steps:

  1. Define a standard IP access list by using a name:

    router(config)# ip access-list standard name

  2. In access-list configuration mode, specify one or more conditions allowed or denied, which determine whether the packet is passed or dropped:

    router(config-std-nacl)# deny| permit  {source [source-wildcard] | any}[log]

  3. Exit access-list configuration mode:

    router(config-std-nacl)# exit

The process is similar for extended named access lists:

  1. Define an extended IP access list by using a name (but remember not to duplicate a standard list's name):

    router(config)#ip access-list extended name

  2. In access-list configuration mode, specify one or more conditions allowed or denied, which determine whether the packet is passed or dropped:

    router(config-ext-nacl)# deny | permit protocol source
    source-wildcard destination destination-wildcard

    [precedence precedence] [tos tos] [established] [log]
    [time-range time-range-name]

  3. Exit the access-list configuration mode:

    router(config-ext-nacl)#exit

Note: Named access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.

In the example shown in the figure, these steps are used to create an extended named access list for a router called RTA.

Interactive Lab Activity (Flash, 371 kB)
  In this lab, you will configure the SanJose1 router to allow traffic on TCP port 80 (web traffic) only.

You will first create a named access list that will permit web traffic from any source from the Internet to the destination 192.168.1.0/24 network, but deny all other IP services.

In interface configuration mode, you will apply the named access list to interface Serial 0/0.