|
In addition to numbered access lists,
the Cisco IOS enables you to create IP access lists by name. Named
access lists enable you to configure more IP access lists in a
router than if you were to use numbered access lists. Another
advantage of named lists is that you can use
no permit
and
no deny
commands to remove individual entries from the list. Currently, only
packet and route filters can use named lists.
You should consider the following before configuring named access
lists:
- Named access lists are not
compatible with older releases of IOS software.
- Not all access lists that accept a
number will accept a name. Currently, only access lists for
packet filters and route filters on interfaces can use a name.
- A standard access list and an
extended access list cannot have the same name.
If you identify an access list with a
name, the mode and command syntax are slightly different from those
used with a numbered list. To configure a standard named list,
follow these steps:
- Define a standard IP access list by using a name:
router(config)# ip access-list
standard
name
- In access-list configuration mode, specify one or more
conditions allowed or denied, which determine whether the
packet is passed or dropped:
router(config-std-nacl)#
deny| permit {source [source-wildcard] | any}[log]
- Exit access-list configuration mode:
router(config-std-nacl)# exit
The process is similar for extended
named access lists:
- Define an extended IP access list by using a name (but
remember not to duplicate a standard list's name):
router(config)#ip
access-list extended name
- In access-list configuration mode, specify one or more
conditions allowed or denied, which determine whether the
packet is passed or dropped:
router(config-ext-nacl)#
deny | permit protocol source
source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [established]
[log]
[time-range time-range-name]
- Exit the access-list configuration mode:
router(config-ext-nacl)#exit
Note: Named access lists
will not be recognized by any software release prior to Cisco IOS
Release 11.2.
In the example shown in the figure, these
steps are used to create an extended named access list for a router
called RTA.
 |
 |
Interactive
Lab Activity
(Flash,
371 kB) |
| |
In
this lab, you will configure the SanJose1 router
to allow traffic on TCP port 80 (web traffic)
only.
You
will first create a named access list that will
permit web traffic from any source from the Internet to
the destination 192.168.1.0/24 network, but deny
all other IP services.
In
interface configuration mode, you will apply the
named access list to interface Serial 0/0. |
|
|
|
|