Certified Router Support Professional Named IP Access Lists

Named IP Access Lists
 


IP named ACLs were introduced in Cisco IOS Software Release 11.2. This allows standard and extended ACLs to be given names instead of numbers.

This is the command syntax format for IP named ACLs.

ip access-list {extended|standard} name

This is a TCP example:

{permit|deny} tcp source source-wildcard [operator [port]] 
destination destination-wildcard [operator [port]] [established] 
[precedence precedence] [tos tos] [log] [time-range time-range-name]

This is an example of the use of a named ACL in order to block all traffic except the Telnet connection from host 10.1.1.2 to host 172.16.1.1.

interface Ethernet0/0 
ip address 10.1.1.1 255.255.255.0 
ip access-group in_to_out in

ip access-list extended in_to_out 
permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet 

Named ACLs, introduced with IOS version 11.2, can be used to match the same packets, with the same parameters, that can be matched with standard and extended IP ACLs.  Named IP ACLs do have some differences, however, some of which make them easier to work with.  The most obvious difference is that IOS identifies named ACLs using names you make up, as opposed to numbers – and you have a better chance of remembering names.

The other major advantage of named ACLs over numbered ACLs, at th etime they were introduced into the IOS, was that you could delete individual lines in a named IP access list.  Throughout the history of numbered IP ACLs and the ip access-list global command, until the introduction of IOS 12.3, a single line in a numbered ACL could not be deleted.  Previously, if you tried to remove a single line from an ACL, the whole ACL would be deleted.  This is no longer the case, as of IOS 12.3.

One key difference is that named access lists use a global command that places the user in a named IP access list submode, under which the matching and permit/deny logic is configured.  The other difference is that when a named matching statement is deleted, only that one statement is deleted.

ip access-list extended name command creates a named ACL and drops you into ACL configuration mode.  The ACL will then start with permit/deny lines that will use the exact same syntax that the numbered access-list commands use.

 For Support