Access Control List configuration: Named access Control List configuration

When you talk about router ACLs, the first thing you think about is the standard ACL and the extended ACL, and actually the little-known named Access ACL. The main purpose of this article is to introduce a named access Control list configuration.

Access list Type:

standard access Control List -(IP-based number range 1-99, IPX-based numbering range 800-899) Check the source address, usually allow, deny full protocol

Extended access Control List -(IP-based number range 100-199, IPX-based access control List range 900-999), check source and destination address, specific TCP/IP protocol and destination port number, usually allow, deny is a specific protocol

SAP (IPX-based number 1000-1099). Other access list scopes represent access lists for different protocols.

In and out directions, respectively.

************************************************

* examples of standard access control lists *

************************************************    

Prerequisites (Enter global configuration mode first)
Access–list Deny/permit 192.168.1.12 0.0.0.255

# # # # # # #192 168.1.12 is the source address; 0.0.0.255 is 192.168.1.12 's anti-mask;; 11 is the number of the standard access control list.

I p access–group one in/out//premise (first into the interface configuration mode)

###### in is in the direction, out for the direction, the lack of saving for the direction. 11 The number used to make the access control list above.

With these two steps, a complete access control list is completed. The missing anti-mask is 0.0.0.0

Use no access–list 11 command to delete the Access control list, the Access control list under this number is deleted (first into the global mode);

Use the no IP access–group 11 command to remove the access control list on the port (Enter interface mode first).

***************************************************

* configuration of the Extended access control List *

***************************************************    

Prerequisites (Enter global configuration mode first)

Access–list 101 deny/permit TCP 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 EQ 80

##### #意思是--deny/allow 172.16.4.0 this network remote login to 172.16.3.0 this network.

Access–list 101 Permit IP any any

##### #访问控制列表的意思的允许所有.

###### (Extended access list allows all, followed by two any; the standard access control list is allowed all the time, followed by an any. ）

##### #101为编号; TCP is the protocol number; 172.16.4.0 0.0.0.255 is the source address; 172.16.3.0 0.0.0.255 is the destination address; EQ is equal to the meaning; 80 is the port number.

IP access–group101 out premise (Enter interface configuration mode first)

##### #这条命令是接口上启用访问控制列表并指定方向.

***************************************************

* configuration of named access Control List *

***************************************************    

(Supported for versions later than 11.2)-both IP and IPX-based can be customized with a name.

(If you go to global configuration mode first)

IP access–list standard/extended Cisco//Cisco for self-defined names

Deny/permit 172.1.1.0 0.0.0.255//Top Select Standard is the normal access control list when

Deny/permit TCP 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 80//above select extended when extending access control list

The IP access–group Cisco in/out premise (first entering interface configuration mode) applies a named Access Control list on the interface and specifies the direction.

********************************

* Access Control List Placement Guidelines *

********************************

Place the extended access list near the source device and place the standard access list closer to the destination device

********************************

* Access Control List Configuration guidelines *

********************************

The location of the restricted statements in the access list is critical;

Put the restrictive statement on the top of the access list;

Use the No access–list number command to delete the entire access list numbers for the configured access control list, with the exception of: named access lists can delete individual statements; Copyright www.netdigedu.com

There is a hidden access control in the access list--Deny all (Deny all);

In the Set access list, there is a sentence of permit any.

eg

Named access Control List configuration:

Router (config) #ip Access-list extended HBSJ

Router (config-ext-nacl) #permit IP 10.0.0.0 0.255.255.255 any

Router (CONFIG-EXT-NACL) #exit

Router (config) #interface fastethernet2/1/0

Router (config-if) #ip Access-group HBSJ in

Router (config) #ip Access-list extended HBSJ

Router (config-ext-nacl) #permit IP 10.0.0.0 0.255.255.255 any

Router (CONFIG-EXT-NACL) #exit

Router (config) #interface fastethernet2/1/0

Router (config-if) #ip Access-group HBSJ in