How to Configure Named Access Control List
Introduction
The named access control list is the enhanced version of the number ACL. Instead of using the number in ACL, named ACL uses a descriptive name for its identification. A named ACL permits or denies traffic based on descriptive names. We can configure both the ACLs, standard and extended ACLs, which allow for greater control over network traffic.
Benefits of the Named Access Control list
1) Readability: Named ACLs are easier to understand because, remembering, names is easier than numbers.
2) Editability: We can edit named ACLs without removing and reapplying them.
3) Flexibility: Adding or removing individual entries into named ACLs is easier without disrupting the entire access control list.
Syntax of named ACL:
ip access-list [standard | extended] Name
{permit | deny} source [wildcard]
Types:
Named ACL supports both standard and extended ACLs.
Here in this blog post, we will configure both the standard and extended ACL for practical knowledge.
Lab topology for Named ACL
We will use the following lab topology both for standard and extended ACL.
Standard Named ACL:
The following lab topology will be used for the standard named ACL.
Configure IP addresses on R1, R2, and all the PCs. Then, run RIP version 2 on R1 and R2.
Before configuring ACL, we will check the ping from PC0 to PC3.
Configure ACL on R2 for blocking PC0 to PC3.
Now we will check whether PC0 is pinging PC3 or not?
Also, check from PC1 whether ACL affects it or not.
PC1 is able to ping PC3 because we didn’t configure ACL for PC1.
Extended Named ACL
We will use the previous lab topology in an extended named ACL, in which we will deny PC0 to browse the HTTP server.
First, check the ping command to test connectivity from PC0 to the HTTP server.
Now configure the extended named ACL, in which we will deny only HTTP traffic generated by PC0. So, PC0 will not browse the HTTP server. Port 80 is used for HTTP traffic. After configuring ACL, permit other traffic to flow from R1 to R2. Apply the ACL at R1’s fast ethernet 0/0 in the outbound direction.
Check the access list through show commands.
Browse the HTTP server at PC0.
Browse the HTTP server through PC1. PC1 will browse the HTTP server because we didn’t block PC1 from browsing.
At the last, we will ping the server from PC0. PC0 will ping the server, because we blocked only HTTP traffic, but don’t block ICMP traffic.