Cisco Systems CCNA 2 manual Named ACLs

Next enter eq, gt or any of the above. The eq, gt and lt define ranges of port numbers. The students need to know the standard port numbers and if they use TCP or UDP. At the end of every ACL is the implied deny all statement. A common error is failure to enter a permit statement. If the ACL does not contain a permit statement, nothing will be permitted.

There are two ways to design security with ACLs. The first is to create an ACL that specifically denies potentially harmful traffic and permits all other traffic. Most of the ACL statements will consist of deny statements with a permit any command as the last entry in the list. This generally has the advantage of being easier to create and has fewer lines. It is also less secure than the other method.

The second method is to only permit traffic that is specified as appropriate. With this type of list, every type of traffic that is permissible requires a line in the list to permit it. All other traffic will be denied by the implicit deny at the bottom of the list. These lists consist of primarily permit statements and do not have a permit any at the end of the list. While these lists require more planning and lines of code, they are typically more secure. The maintenance for this type of list is usually triggered by the implementation of a new application or service that requires access by hosts on the internetwork.

11.2.3 Named ACLs

IP named ACLs were introduced in Cisco IOS Software Release 11.2 to allow standard and extended ACLs to be given names instead of numbers.

The advantages of a named access list are as follows:

•Intuitively identify an ACL with an alphanumeric name

•Eliminates the limit of 99 simple and 100 extended ACLs

•Ability to modify ACLs without deleting and then reconfiguring them

It is important to note that a named access list will allow the deletion of statements but will only allow for statements to be inserted at the end of a list.

The configuration of a named ACL is very similar to the configuration of a standard or extended ACL. The first difference is that instead of starting the command with access-listthe named ACL uses ip access-list: