Let's say I have a access-list 1 with 5 permits. And I would like to delete the third permit listing. I know that I can simply do "no 30"
However, can I confirm that I can no access-list 1 permit host 192.168.1.1 command in global configuration mode. Or no access-list 1 global configuration command, and then re-enter the other 4 access-list?
3
The named ACL feature allows you to identify standard and extended IP ACLs with an alphanumeric string [name] instead of the current numeric representations.
Named IP ACLs allow you to delete individual entries in a specific ACL. If you are using Cisco IOS Release 12.3, you can use sequence numbers to insert statements anywhere in the named
ACL. If you are using a software version earlier than Cisco IOS Release 12.3, you can insert statements only at the bottom of the named ACL.
Because you can delete individual entries with named ACLs, you can modify your ACL without having to delete and then reconfigure the entire ACL. Use named IP ACLs when you want to intuitively identify ACLs.
Creating Named Standard IP ACLs
The following list shows the steps that are required to configure and apply a named standard IP ACL on a router:
Step 1 Define a standard named IPv4 ACL. Use the ip access-list standard global configuration command.
RouterX[config]# ip access-list standard name
Define the list using a unique name. A descriptive name can be helpful when examining the configuration of the router.
Step 2 Enter one of the following commands to establish test parameters:
RouterX[config-std-nacl]#[sequence-number] deny {source [ source-wildcard] I any}
RouterX[config-std-nacl]#[sequence-number] permit {source [source-wildcard] | any}
In access list configuration mode, specify one or more conditions permitted or denied. This determines whether the packet is passed or dropped. You can also use the sequence number to place the test parameter in a specific location within the list.
Step 3 Exit from named access list configuration mode:
RouterX[config-std-nacl]#exit RouterX[config]#
Step 4 Select a desired interface to be configured. Use the interface global configuration command:
RouterX[config]# interface ethernet 0
After you enter the interface command, the CLI prompt changes from [config]# to [config-if]#.
Step 5 Link the extended IPv4 ACL to an interface. Use the ip access-group interface configuration command:
RouterX[config-if]# ip access-group 101 in
Use the show ip interface command to verify that an IP ACL is applied to the interface.
Creating Named Extended IP ACLs
The steps required to configure and apply a named extended IP ACL on a router are as follows:
Step 1 Define a standard named IPv4 ACL. Use the ip access-list extended global configuration command.
RouterX[config]# ip access-list extended name
Define the list using a unique name. A descriptive name can be helpful when examining the configuration of the router.
Step 2 Enter the following command syntax to establish test parameters:
RouterX[config-ext-nacl]# [sequence-number] {deny | permit} protocol source source-wildcard destination destination-wildcard [option]
In access list configuration mode, specify the conditions allowed or denied.
You can use the keyword any to abbreviate an address of 0.0.0.0 with a wildcard mask of 255.255.255.255 for the source address, destination address, or both. You can use the keyword host to abbreviate a wildcard mask of 0.0.0.0 for the source address or destination address. Place the keyword host in front of the address.
Step 3 Exit from named access list configuration mode:
RouterX[config-ext-nacl]#exit RouterX[config]#
Step 4 Select a desired interface to be configured. Use the interface global configuration command:
RouterX[config]# interface ethernet 0
After you enter the interface command, the CLI prompt changes from [config]# to [config-if]#.
Step 5 Link the extended IPv4 ACL to an interface. Use the ip access-group interface configuration command:
RouterX[config-if]# ip access-group 101 in
Use the show ip interfaces command to verify that an IP ACL is applied to the interface.
You can take advantage of the sequence numbers in a named access list to add specific entries within an existing list. In Example 6-9, a new entry is added to a specified location within the access list.
Example 6-9 Confirming Added Entries to an Existing Access List
|
RouterX# |
show ip access-list | ||
|
Standard |
IP |
access list MARKETING | |
|
2 permit |
K0 |
4.4.2, wildcard bits 0.[ |
9.255.255 |
|
5 permit |
K0 |
0.0.44, wildcard bits 0 |
0.0.255 |
|
■|0 permit |
K |
9.0.0.K, wildcard bits 0 |
0.0.255 |
|
20 permit |
K |
9.0.0.2, wildcard bits 0 |
0.0.255 |
|
RouterX[config]# ip access-list standard MARKETING | |||
|
RouterX[config-std-nacl]# K5 permit |
10.5.5.5 0.0.0.255 | ||
|
RouterX# |
show ip access-list | ||
|
Standard |
IP |
access list MARKETING | |
|
2 permit |
K0 |
4.4.2, wildcard bits 0.[ |
9.255.255 |
|
5 permit |
K0 |
0.0.44, wildcard bits 0 |
0.0.255 |
|
K0 permit |
K |
9.0.0.K, wildcard bits 0 |
0.0.255 |
|
K5 permit |
K |
9.5.5.5, wildcard bits 0 |
0.0.255 |
|
20 permit |
K |
9.0.0.2, wildcard bits 0 |
0.0.255 |
Using the number of a standard access list as the name, you can also use this feature to place an entry in a specific location of a numbered access list. In Example 6-10, a new entry is added to a specified access list.
Example 6-10 Placing an Entry in a Numbered List Using the Name Function
|
RouterX# |
show ip access-list | ||
|
Standard |
IP |
access list 1 | |
|
2 permit |
K0 |
4.4.2, wildcard bits 0.[ |
9.255.255 |
|
5 permit |
K0 |
0.0.44, wildcard bits 0 |
0.0.255 |
|
K0 permit |
K |
9.0.0.1, wildcard bits 0 |
0.0.255 |
|
20 permit |
K |
9.0.0.2, wildcard bits 0 |
0.0.255 |
|
RouterX[config]# ip access-list standard K | |||
|
RouterX[config-std-nacl]# K5 permit |
10.5.5.5 0.0.0.255 | ||
|
RouterX[config-std-nacl]# end | |||
|
RouterX# |
show ip access-list | ||
|
Standard |
IP |
access list 1 | |
|
2 permit |
K0 |
4.4.2, wildcard bits 0.[ |
9.255.255 |
|
5 permit |
K0 |
0.0.44, wildcard bits 0 |
0.0.255 |
|
K0 permit |
K |
9.0.0.1, wildcard bits 0 |
0.0.255 |
|
K5 permit |
K |
9.5.5.5, wildcard bits 0 |
0.0.255 |
|
20 permit |
K |
9.0.0.2, wildcard bits 0 |
0.0.255 |
Named Extended ACL: Deny a Single Host from a Given Subnet
For the network shown in Figure 6-19, you want to create a list named "troublemaker" to prevent traffic that originates from the host 172.16.4.13 from traveling out Ethernet interface E0.
Figure 6-19 Named Extended ACL Denying a Single Host
172.16.3.0
172.16.4.0
E0 E1
E0 E1
172.16.4.0
172.16.4.13
The configuration in Example 6-11 provides a solution for this example.
Example 6-11 Access List Preventing Traffic from a Specific Host
RouterX[config]#ip access-list standard troublemaker
RouterX[config-std-nacl]#deny host 172.16.4.13 RouterX[config-std-nacl]#permit 172.16.4.0 0.0.0.255 RouterX[config-std-nacl]#interface e0 RouterX[config-if]#ip access-group troublemaker out
|
access-list Command Parameter |
Description |
|
standard |
Indicates that the named ACL is a standard ACL |
|
troublemaker |
Name of the ACL |
|
deny |
Indicates that traffic that matches the selected parameters is not forwarded |
|
host 172.16.4.13 |
Source IP address; "host" indicates a wildcard mask of 0.0.0.0 |
|
permit |
Indicates that traffic that matches the selected parameters is forwarded |
|
172.16.4.0 0.0.0.255 |
Source IP address and mask; the first three octets must match but not the last octet |
|
ip access-group troublemaker out |
Links ACL "troublemaker" to interface E0 as an output filter |
Named Extended ACL—Deny a Telnet from a Subnet
Using Figure 6-19 again, this time you want to create a list named "badgroup" to prevent Telnet traffic that originates from the subnet 172.16.4.0/24 from traveling out Ethernet interface E0.
The configuration in Example 6-12 provides a solution.
Example 6-12 Access List Preventing Telnet Traffic from a Specific Subnet
RouterX[config]#ip access-list extended badgroup RouterX[config-ext-nacl]#deny tcp 172.16.4.0 0.0.0.255 any eq 23
RouterX[config-ext-nacl]#permit ip any any RouterX[config-ext-nacl]#interface e0 RouterX[config-if]#ip access-group badgroup out
Table 6-11 describes the command syntax that is presented in the figure.
|
access-list Command Parameter |
Description |
|
extended |
Indicates that the named ACL is an extended ACL. |
|
badgroup |
Name of the ACL. |
|
deny |
Indicates that traffic that matches the selected parameters is not forwarded. |
|
tcp |
Transport layer protocol. |
|
172.16.4.0 0.0.0.255 |
Source IP address and mask; the first three octets must match but not the last octet. |
|
any |
Match any destination IP address. |
|
eq 23 or eq telnet |
Destination port or application name. In this example, it specifies the well-known port number for Telnet, which is 23. |
|
permit |
Indicates that traffic that matches the selected parameters is forwarded. |
|
ip |
Network layer protocol. |
|
any |
Keyword matching traffic to any source and destination. |
|
ip access-group badgroup out |
Links ACL "badgroup" to interface E0 as an output filter. |
Continue reading here: Adding Comments to Named or Numbered ACLs
Was this article helpful?