Named Access Lists


The limit of 798 standard access lists or 799 extended IP access lists per router would seem to be more than enough; however, there are cases, such as with dynamic access lists,[1] in which these maximums might not be sufficient. Named access lists, available beginning with IOS 11.2, extend these limits. The other advantage is that descriptive names can make large numbers of lists more manageable.

[1] Dynamic access lists are not covered in this tutorial. Refer to the Cisco IOS Security Configuration GuideConfiguring Lock-and-Key Security (Dynamic Access Lists) for more information.

To use names, use the following syntax in the first line of the access list:

ip access-list {standard | extended} name

Because there are no numbers to differentiate list types, this line specifies the list as IP and either standard or extended.

Below the beginning line, go the permit and deny statements. The syntax for the standard list is

{deny | permit} source [source-wildcard]

The syntax for the basic extended list is

{deny | permit} protocol source source-wildcard destination destination-wildcard     [precedence precedence][tos tos][log]

In both cases, the access-list access-list-number portion of the command has disappeared, but everything else remains the same. Standard and extended access lists on the same router cannot share the same name. The command for establishing a named access list on an interface refers to the name instead of a number but in all other ways remains the same. Figure B-12 shows the access lists of Figure B-10 converted to the named format.

Figure B-12. The access lists shown in Figure B-10 are now configured as named access lists.





CCIE Professional Development Routing TCP/IP (Vol. 12005)
Routing TCP/IP, Volume 1 (2nd Edition)
ISBN: 1587052024
EAN: 2147483647
Year: 2005
Pages: 233

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net