Just like the numbered ACLs we’ve used so far, named ACLs allow you to filter network traffic according to various criteria. However, they have the following benefits over numbered ACLs:
- an ALC can be assigned a meaningful name (e.g. filter_traffic_to_server)
- ACL subcommands are used in the ACL configuration mode, and not in the global configuration mode as with numbered ACLs
- you can reorder statements in a named access list using sequence numbers
The named ACL name and type is defined using the following syntax:
(config) ip access-list STANDARD|EXTENDED NAME
The command above moves you to the ACL configuration mode, where you can configure the permit and deny statements. Just like with numbered ACLs, named ACLs ends with the implicit deny statement, so any traffic not explicitly permitted will be forbidden.
We will use the following network in our configuration example:
We want to deny the user’s workstation (10.0.0.2/24) any type of access to the Domain server (192.168.0.1/24). We also want to enable the user unrestricted access to the File share (192.168.0.2/24).
First, we will create and name our ACL:
R1(config)#ip access-list extended allow_traffic_fileshare
Once inside the ACL config mode, we need to create a statement that will deny the user’s workstation access to the Domain server:
R1(config-ext-nacl)#20 deny ip 10.0.0.2 0.0.0.0 192.168.0.1 0.0.0.0
The number 20 represents the line in which we want to place this entry in the ACL. This allows us to reorder statements later if needed.
Now, we will execute a statement that will permit the workstation access to the File share:
R1(config-ext-nacl)#50 permit ip 10.0.0.2 0.0.0.0 192.168.0.2 0.0.0.0
Lastly, we need to apply the access list to the Gi0/0 interface on R1:
R1(config)#int Gi0/0 R1(config-if)#ip access-group allow_traffic_fileshare in
The commands above will force the router to evaluate all packets trying to enter Gi0/0. If the workstation tries to access the Domain server, the traffic will be forbidden because of the first ACL statement. However. if the user tries to access the File server, the traffic will be allowed, because of the second statement.
Our named ACL configuration looks like this:
R1#show ip access-lists Extended IP access list allow_traffic_fileshare 20 deny ip host 10.0.0.2 host 192.168.0.1 50 permit ip host 10.0.0.2 host 192.168.0.2
Notice the sequence number at the beginning of each entry. If we need to stick a new entry between these two entries, we can do that by specifying a sequence number in the range between 20 and 50. If we don’t specify the sequence number, the entry will be added to the bottom of the list.
We can use the ping command on the workstation to verify the traffic is being blocked properly:
C:\>ping 192.168.0.1 Pinging 192.168.0.1 with 32 bytes of data: Reply from 10.0.0.1: Destination host unreachable. Reply from 10.0.0.1: Destination host unreachable. Reply from 10.0.0.1: Destination host unreachable. Reply from 10.0.0.1: Destination host unreachable. Ping statistics for 192.168.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\> C:\>ping 192.168.0.2 Pinging 192.168.0.2 with 32 bytes of data: Reply from 192.168.0.2: bytes=32 time<1ms TTL=127 Reply from 192.168.0.2: bytes=32 time<1ms TTL=127 Reply from 192.168.0.2: bytes=32 time<1ms TTL=127 Reply from 192.168.0.2: bytes=32 time<1ms TTL=127 Ping statistics for 192.168.0.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
As you can see from the ping output above, the traffic is being filtered properly.