Named ACLs can be used to match the same packets, with the same parameters, you can match with standard and extended IP ACLs. Named IP ACLs do have some differences, however, some of which make them easier to work with. The most obvious difference is that IOS identifies named ACLs using names you make up, as opposed to numbers-and you have a better chance of remembering names. Named ACLs also have another key feature that numbered ACLs do not: You can delete individual lines in a named IP access list. With numbered ACLs, if you enter no access-list 101 and then enter the rest of the command, you don’t just delete that single line-you delete the whole list! With named ACLs, you can enter a command that removes individual lines in an ACL. Other than that, the only differences are the changes in the configuration syntax.
The configuration syntax is very similar between named and numbered IP access lists. The items that can be matched with a numbered standard IP access list are identical to the items that can be matched with a named standard IP access list. Likewise, the items are identical with both numbered and named extended IP access lists.
Two important configuration differences exist between numbered and named access lists. One key difference is that named access lists use a global command that places the user in a named IP access list submode, under which the matching and permit/deny logic is configured. The other key difference is that when a named matching statement is deleted, only that one statement is deleted. With numbered lists, the deletion of any statement in the list deletes all the statements in the list.
The following example shows how to use a named IP ACLs. It shows the changing command prompt in configuration mode, showing that the user has been placed in ACL configuration mode. It also lists the pertinent parts of the output of a show running-configuration command. It ends with an example of how you can delete individual lines in a named ACL.
CT(config)#
CT(config)#ip access-list extended ACL
CT(config-ext-nacl)#deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
CT(config-ext-nacl)#deny tcp host 172.16.2.10 host 172.16.1.100 eq www
CT(config-ext-nacl)#permit ip any any
CT(config-ext-nacl)#exi
CT(config)#
...
CT(config)#sh run
...
!
interface Serial1/0
ip address 172.16.12.1 255.255.255.0
ip access-group ACL in
serial restart-delay 0
!
interface Serial1/1
ip address 172.16.13.1 255.255.255.0
ip access-group ACL in
serial restart-delay 0
!
...
!
ip access-list extended ACL
deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
deny tcp host 172.16.2.10 host 172.16.1.100 eq www
permit ip any any
!
Our Recommended Premium CCNA Training Resources
These are the best CCNA training resources online:
Click Here to get the Cisco CCNA Gold Bootcamp, the most comprehensive and highest rated CCNA course online with a 4.8 star rating from over 30,000 public reviews. I recommend this as your primary study source to learn all the topics on the exam.
Want to take your practice tests to the next level? AlphaPreps purpose-built Cisco test engine has the largest question bank, adaptive questions, and advanced reporting which tells you exactly when you are ready to pass the real exam. Click here for your free trial.
