What email address or phone number would you like to use to sign in to Docs.com?
If you already have an account that you use with Office or other Microsoft services, enter it here.
Or sign in with:
Signing in allows you to download and like content, and it provides the authors analytical data about your interactions with their content.
Embed code for: 19.4 Configuring Named ACLs
Select a size
19.4 Configuring Named ACLs
Configuring Named ACLs Section 19: Implementing Traffic Filtering with ACLs With numbered ACLs, if you attempt to remove a single line by using the no directive, it deletes the entire ACL! With numbered ACLs, a network administrator usually copies the entire ACL into a text editor, makes changes, deletes the old ACL, and pastes the new one back in. There is a better way: named ACLs. Named ACLs feature a concept called sequence numbers. The sequence numbers are created automatically and individual ACEs in an ACL can be removed without deleting the entire ACL. The ACL configuration mode is used to configure a named ACL. Branch(config)#ip access-list extended WEB_ONLY Branch(config-ext-nacl)#permit tcp 10.1.1.0 0.0.0.255 any eq www Branch(config-ext-nacl)#20 permit tcp 10.1.1.0 0.0.0.255 any eq The alphanumeric name string (WEB_ONLY in the example) must be unique for each of the named IP ACLs on a given router. If sequence numbers are not configured, they are generated automatically, starting at 10 and incrementing by 10. The no 10 command would remove the specific text numbered with 10 from the named ACL. This action would delete the first entry in the given ACL. Named ACLs are activated with the ip access-group command on an interface with the same command as numbered ACLs. Branch(config-if)#ip access-group WEB_ONLY in Naming an ACL makes it easier to understand its function. For example, an ACL to deny FTP access could be named NO_FTP. When you identify your ACL with a name instead of a number, the configuration mode and command syntax are slightly different. The accesslist configuration mode is used to define named ACLs. To enter this mode, use the ip access-list command. Numbered ACLs can also be defined by using the accesslist configuration mode. You just specify an ACL number instead of a unique name. The command output shows the commands that are used to configure an extended ACL named WEB_ONLY on the branch router. The ACL permits traffic from hosts on the 10.1.1.0/24 network that is traveling to HTTP and HTTPS ports. Capitalizing ACL names is not required, but it makes them stand out when you view the running configuration output. Branch#show access-lists Extended IP access list WEB_ONLY 10 permit tcp 10.1.1.0 0.0.0.255 any eq www 20 permit tcp 10.1.1.0 0.0.0.255 any eq 443 Branch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Branch(config)#ip access-list extended WEB_ONLY Branch(config-ext-nacl)#5 deny ip host 10.1.1.25 any Branch(config-ext-nacl)#end Branch#show access-lists Extended IP access list WEB_ONLY 5 deny ip host 10.1.1.25 any 10 permit tcp 10.1.1.0 0.0.0.255 any eq www 20 permit tcp 10.1.1.0 0.0.0.255 any eq 443 Named IP ACLs allow you to add, modify, or delete individual entries in a specific ACL. You can use sequence numbers to insert statements anywhere in the named ACL. When statements are added to the ACL, the default increment is 10. The command output shows an additional entry that is numbered 5 in the WEB_ONLY ACL, which is inserted in front of line 10. A reload will change the sequence numbers in the ACL. The sequence numbers will be 10, 20, and 30 instead of 5, 10, and 20 after the reload. Use the access-list resequence command to renumber the ACL entries in an ACL without having to reload. Content Unavailable This content is unavailable in this version of the course. Up Next: ACL Configuration Guidelines