When you talk about router ACLs, the first thing you think about is the standard ACL and the extended ACL, and actually the little-known named Access ACL. The main purpose of this article is to introduce a named access Control list configuration.
Access list Type:
standard access Control List -(IP-based number range 1-99, IPX-based numbering range 800-899) Check the source address, usually allow, deny full protocol
Extended access Control List -(IP-based number range 100-199, IPX-based access control List range 900-999), check source and destination address, specific TCP/IP protocol and destination port number, usually allow, deny is a specific protocol
SAP (IPX-based number 1000-1099). Other access list scopes represent access lists for different protocols.
In and out directions, respectively.
************************************************
* examples of standard access control lists *
************************************************
Prerequisites (Enter global configuration mode first)
Access–list Deny/permit 192.168.1.12 0.0.0.255
# # # # # # #192 168.1.12 is the source address; 0.0.0.255 is 192.168.1.12 's anti-mask;; 11 is the number of the standard access control list.
I p access–group one in/out//premise (first into the interface configuration mode)
###### in is in the direction, out for the direction, the lack of saving for the direction. 11 The number used to make the access control list above.
With these two steps, a complete access control list is completed. The missing anti-mask is 0.0.0.0
Use no access–list 11 command to delete the Access control list, the Access control list under this number is deleted (first into the global mode);
Use the no IP access–group 11 command to remove the access control list on the port (Enter interface mode first).
***************************************************
* configuration of the Extended access control List *
***************************************************
Prerequisites (Enter global configuration mode first)
Access–list 101 deny/permit TCP 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 EQ 80
##### #意思是--deny/allow 172.16.4.0 this network remote login to 172.16.3.0 this network.
Access–list 101 Permit IP any any
##### #访问控制列表的意思的允许所有.
###### (Extended access list allows all, followed by two any; the standard access control list is allowed all the time, followed by an any. )
##### #101为编号; TCP is the protocol number; 172.16.4.0 0.0.0.255 is the source address; 172.16.3.0 0.0.0.255 is the destination address; EQ is equal to the meaning; 80 is the port number.
IP access–group101 out premise (Enter interface configuration mode first)
##### #这条命令是接口上启用访问控制列表并指定方向.
***************************************************
* configuration of named access Control List *
***************************************************
(Supported for versions later than 11.2)-both IP and IPX-based can be customized with a name.
(If you go to global configuration mode first)
IP access–list standard/extended Cisco//Cisco for self-defined names
Deny/permit 172.1.1.0 0.0.0.255//Top Select Standard is the normal access control list when
Deny/permit TCP 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 80//above select extended when extending access control list
The IP access–group Cisco in/out premise (first entering interface configuration mode) applies a named Access Control list on the interface and specifies the direction.
********************************
* Access Control List Placement Guidelines *
********************************
Place the extended access list near the source device and place the standard access list closer to the destination device
********************************
* Access Control List Configuration guidelines *
********************************
The location of the restricted statements in the access list is critical;
Put the restrictive statement on the top of the access list;
Use the No access–list number command to delete the entire access list numbers for the configured access control list, with the exception of: named access lists can delete individual statements; Copyright www.netdigedu.com
There is a hidden access control in the access list--Deny all (Deny all);
In the Set access list, there is a sentence of permit any.
eg
Named access Control List configuration:
Router (config) #ip Access-list extended HBSJ
Router (config-ext-nacl) #permit IP 10.0.0.0 0.255.255.255 any
Router (CONFIG-EXT-NACL) #exit
Router (config) #interface fastethernet2/1/0
Router (config-if) #ip Access-group HBSJ in
Router (config) #ip Access-list extended HBSJ
Router (config-ext-nacl) #permit IP 10.0.0.0 0.255.255.255 any
Router (CONFIG-EXT-NACL) #exit
Router (config) #interface fastethernet2/1/0
Router (config-if) #ip Access-group HBSJ in