Cisco Standard Named Access Control List configuration

By | April 30, 2014

Hi, welcome to another episode of Cisco networking tutorial. We were discussing with network security focused on Access Lists. We did some labs related to Standard Numbered ACL and Extended Numbered ACL. Today I would like to show you Cisco Standard Named Access Control List configuration. Cisco standard named access-list overcomes the limitations of Numbered Access Control list. As we know Named ACL further divided in to Standard and Extended.

Numbered ACL is addressed by a Number whereas Named ACL referenced with a NAME.

Named ACL provides more flexibility for administrators since it deals with descriptive names instead of a just number.
Standard-Named-Access-List

Named Access List vs. Numbered Access List

  • Numbered ACL uses certain number to mention ACL while Named access list employs name to refer an ACL.
  • Named ACLs are easy to identify hence administrator can manage without hassles.
  • Numbered ACLs are non-editable, can’t remove individual lines (only way is deleting entire ACL and re-create new). But named access lists are editable means individual lines can be removed and further lines can be added. New lines added to the bottom of ACL.

Note: Even though we can remove specific lines from named ACL we can’t insert entries in between two lines, new entries placed at the bottom of ACL.

What is Standard Named Access List in Networking?

  • Permit or deny network traffic based on source network (similar to Standard Numbered ACL).
  • standard name access list use the following syntax

ip asccess-list standard [Name]

Standard-Named-Access-List-Destination

  • ACL filtering based on Source IP, standard named access list be placed close to the destination network.

Standard Named Access List Example in Packet Tracer

OK, now let’s create a Standard Named Access Control List using Packet Tracer. I had shown three different cases where ACL used.

Example 1: Deny a Complete Network

In this example we are going to go to block the network N4 (40.0.0.0/8) from accessing the Network N1 (10.0.0.0/8).

Standard-Named-Access-List-deny-Complete

R1(config)#ip access-list standard TEST1
R1(config-std-nacl)#deny 40.0.0.0 0.255.255.255
R1(config-std-nacl)#permit any
R1(config-std-nacl)#exit
R1(config)#interface f0/0
R1(config-if)#ip access-group TEST1 out
R1(config-if)#exit

Example 2 – Deny a Specific Host and Permit All other Host

Standard named access list deny host command utilized here. This configuration blocks the host 40.0.0.2/8 accessing 10.0.0.0/8 network.
Standard-Named-Access-List-deny-Single-host

R1(config)#ip access-list standard TEST2
R1(config-std-nacl)#deny host 40.0.0.2
R1(config-std-nacl)#permit any
R1(config-std-nacl)#exit
R1(config)#interface f0/0
R1(config-if)#ip access-group TEST2 out
R1(config-if)#exit

Example 3 – Permit a Specific Host and Deny all other Host

Here also Standard named access list host specific command employed. It permits the host 40.0.0.2/8 to access 10.0.0.0/8 network while block all other hosts in 40.0.0.0/8 network.
Standard-Named-Access-List-Permit-Single-host

R1(config)#ip access-list standard TEST3
R1(config-std-nacl)#permit host 40.0.0.2
R1(config-std-nacl)#deny 40.0.0.0 0.255.255.255
R1(config-std-nacl)#permit any
R1(config-std-nacl)#exit
R1(config)#interface f0/0
R1(config-if)#ip access-group TEST3 out
R1(config-if)#exit

***   ***   ***

Verification and testing commands

Now let’s have some troubleshooting commands which used regularly by the network engineers.

#show ip access-lists : Check Access List

Shows the all available Access Lists in the router

R1#show ip access-lists
Standard IP access list TEST1
deny 40.0.0.0 0.255.255.255
permit any

Check ACL Binding Interface

How to check where exactly the ACL hooked? Use the following command.

R1#show running-config
Building configuration...

Current configuration : 831 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
spanning-tree mode pvst
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
ip access-group TEST1 out
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 20.0.0.1 255.0.0.0
duplex auto
--More--

How to Remove Standard Named Access List

What do we do to delete a Named Standard ACL? Use ‘no‘ versions of the command.

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no ip access-list standard TEST1

Unbind Access List from an Interface

How to remove an ACL from specific interface? Login to the interface and use ‘no‘ version commands.

R1(config)#interface fastEthernet 0/0
R1(config-if)#no ip access-group TEST1 out

Standard Named Access List Modify

How to edit standard named access list? Enter to the ACL configuration mode and add new lines. Standard named access list delete entry also done from here with ‘no’ version commands. In the following configuration I deleted one standard named access list line and added another. Note: New entries will be inserted to the bottom of ACL.

R1#show acc
R1#show access-lists
Standard IP access list TEST1
deny 40.0.0.0 0.255.255.255
permit any
R1#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list standard TEST1
R1(config-std-nacl)#no permit any
R1(config-std-nacl)#deny 30.0.0.0 0.255.255.255
R1(config-std-nacl)#permit any
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#show access-lists
Standard IP access list TEST1
deny 40.0.0.0 0.255.255.255
deny 30.0.0.0 0.255.255.255
permit any

For adding the line ‘deny 30.0.0.0 0.255.255.255’ first I removed ‘permit any’ line and added at last again.

***

By the way what’s your comment to Standard Named Access List on Cisco router? Don’t forget to share your views and like our Facebook page to latest updates. Next → Extended Named Access Control List

Leave a Reply

Your email address will not be published. Required fields are marked *