Configuring Named Access Lists

20 Mar

Configuring Named Access Lists
Because of the numeric limitations of numbered standard and extended access lists, in IOS release 11.2, Cisco included a feature known as named access lists, which extend the numeric limit of numbered access lists. To configure a named access list, follow these steps:
1.Use the following configuration command to define a named access list:

ip access−list <standard | extended> name

The standard command option configures a standard access list and the extended command option configures an extended access list. The name parameter defines the name of the access list. The name of the access list cannot contain a space and must begin with a letter, not a number.

2.Use this command to define the filter rules for a standard named access list:

<deny | permit> source source−wildcard

Use this command to define the filter rules for an extended access list:

<deny | permit> <protocol> <source source−wildcard> −
<destination destination−wildcard> <precedence precedence> −
<tos tos> log

3.Use the following command to select the input interface under which the access list will be applied:

interface <interface name> <interface number>

4.Use this command to bind the access list to the interface and to apply the filter to packets entering into or exiting the interface:

ip access−group name {in | out}

In the beginning of “Immediate Solutions,” I began with a basic standard access list configuration. In Listing 7.1 and Listing 7.2. Routers Raul and Chris were configured to provide packet filtering using standard numbered access lists. You can also configure routers to use named access lists to provide packet filtering. In Listing 7.15, Raul is configured to permit traffic from only the 192.168.20.0 network and deny traffic from all other networks. Router Chris will be configured in Listing 7.16 to permit traffic from only 192.168.40.0 and deny traffic from all other networks. Instead of using a standard numbered access list, this time I will use a standard named access list. Referback to Figure 7.4 for a description of the network that will be used to configure the routers.

Listing 7.15: Named access list configuration of Raul.

hostname Raul
!
interface FastEthernet1/0
ip address 192.168.10.2 255.255.255.0
no ip directed−broadcast
ip access−group permit−20 in
!
interface FastEthernet2/0
ip address 192.168.40.1 255.255.255.0
no ip directed−broadcast
!
interface FastEthernet3/0
ip address 192.168.50.1 255.255.255.0
no ip directed−broadcast
!
ip route 192.168.20.0 255.255.255.0 192.168.10.1
ip route 192.168.30.0 255.255.255.0 192.168.10.1
!
ip access−list standard permit−20
permit 192.168.20.0 0.0.0.255
deny any

Listing 7.16: Named access list configuration of Chris.
hostname Chris
!
interface FastEthernet0
ip address 192.168.10.1 255.255.255.0
no ip directed−broadcast
ip access−group permit−40 in
!
interface Ethernet1
ip address 192.168.20.1 255.255.255.0
no ip directed−broadcast
!
interface FastEthernet1
ip address 192.168.30.1 255.255.255.0
no ip directed−broadcast
!
ip route 192.168.40.0 255.255.255.0 192.168.10.2
ip route 192.168.50.0 255.255.255.0 192.168.10.2
!
ip access−list standard permit−40
permit 192.168.40.0 0.0.0.255
deny any

You can issue the show access−lists command on Chris to verify the proper configuration of the access list:

Chris#show access−lists
Standard ip access list permit−40
permit 192.168.40.0, wildcard bits 0.0.0.255
deny any

You can also use the show IP interface command to verify the access list. Issuing this command displays any and all access lists that are configured on an interface. Issuing the command on Chris displays the output listed in Listing 7.17.

Listing 7.17: Output of the show IP interface command on Chris.

Chris#sh ip int e0/0
FastEthernet0 is up, line protocol is up
Internet address is 192.168.10.1/24
Broadcast address is 255.255.255.255
Address determined by non−volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is permit−40
Proxy ARP is enabled

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.