Using named access lists

From Internetworkpro

Jump to: navigation, search
This page or section provides device configuration instructions
Please note that the information on this page has not been checked for accuracy and is not intended as a replacement to documentation. Please ensure you understand your desired objectives before attempting to apply any examples listed.
See more examples at Category:Configuration
Before named access lists were avalible in IOS access lists were done linear with your next statement on the next line. If you wanted to remove or add a line (except for at the bottom) removing the entire ACL and then re-applying it was nessary.

Enter IOS 11.2. We can now specify a name for our ACLs (which helps with both description and the 100 or 200 acl limit). In addition we now have a sub-config mode for configuring our acls which allows finer control including removing lines and adding lines anywhere within the access list.

To use a named access list first determine the type of acl. The old meathod was to use numbers 0-99 for ip standard, 100-199 for ip extended, etc. Since we are using names instead of numbers we need to specify them in the declration of the acl 

Router(config)# ip access-list extended myNewACL

Once in the sub-configuration mode we can enter our permit or deny lines 

Router(config-ext-nacl)# permit tcp any host 192.168.1.101 eq 80
Router(config-ext-nacl)# permit tcp any host 192.168.1.101 eq 22
Router(config-ext-nacl)# permit tcp any host 192.168.1.105 eq 22

*INCOMPLETE*

A common misconception about numbered access-lists is that removing entries within an access-list is not possible without first removing the access-list, editing it offline, and then reconfiguring it. By leveraging the named access-list, one can remove entries without a problem. A numbered access-list is really a named access-list that happens to be a number - like naming that woman from Star Trek Seven. 

exe-branto-sw-01#show access-lists       

exe-branto-sw-01#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
exe-branto-sw-01(config)#access-list 10 permit 192.168.0.0 0.0.0.255
exe-branto-sw-01(config)#access-list 10 permit 192.168.1.0 0.0.0.255
exe-branto-sw-01(config)#access-list 10 permit 192.168.2.0 0.0.0.255
exe-branto-sw-01(config)#access-list 10 permit 192.168.3.0 0.0.0.255
exe-branto-sw-01(config)#^Z
exe-branto-sw-01#show access-lists
Standard IP access list 10
    10 permit 192.168.0.0, wildcard bits 0.0.0.255
    20 permit 192.168.1.0, wildcard bits 0.0.0.255
    30 permit 192.168.2.0, wildcard bits 0.0.0.255
    40 permit 192.168.3.0, wildcard bits 0.0.0.255
exe-branto-sw-01#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
exe-branto-sw-01(config)#ip access-list standard 10
exe-branto-sw-01(config-std-nacl)#no permit 192.168.1.0 0.0.0.255
exe-branto-sw-01(config-std-nacl)#^Z
exe-branto-sw-01#show access-lists
Standard IP access list 10
    10 permit 192.168.0.0, wildcard bits 0.0.0.255
    30 permit 192.168.2.0, wildcard bits 0.0.0.255
    40 permit 192.168.3.0, wildcard bits 0.0.0.255
exe-branto-sw-01#

Note that although this version of code includes the BASIC-like ability to remove lines of an ACL by specifying the line number, so long as your code supports named access-lists, you will be able to use this functionality.

Retrieved from "http://inetpro.org/wiki/Using_named_access_lists"
Personal tools