126 - 238 CCNA 2: Routers and Routing Basics v3.1 Instructor Guide – Module 11
Copyright
©
2004, Cisco Systems, Inc.
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
Next enter
eq
,
gt
or any of the above. The
eq
,
gt
and
lt
define ranges of port numbers. The
students need to know the standard port numbers and if they use TCP or UDP. At the end of
every ACL is the implied deny all statement. A common error is failure to enter a permit
statement. If the ACL does not contain a permit statement, nothing will be permitted.
There are two ways to design security with ACLs. The first is to create an ACL that specifically
denies potentially harmful traffic and permits all other traffic. Most of the ACL statements will
consist of deny statements with a
permit any
command as the last entry in the list. This
generally has the advantage of being easier to create and has fewer lines. It is also less
secure than the other method.
The second method is to only permit traffic that is specified as appropriate. With this type of
list, every type of traffic that is permissible requires a line in the list to permit it. All other traffic
will be denied by the implicit deny at the bottom of the list. These lists consist of primarily
permit statements and do not have a permit any at the end of the list. While these lists require
more planning and lines of code, they are typically more secure. The maintenance for this type
of list is usually triggered by the implementation of a new application or service that requires
access by hosts on the internetwork.
11.2.3 Named ACLs
IP named ACLs were introduced in Cisco IOS Software Release 11.2 to allow standard and
extended ACLs to be given names instead of numbers.
The advantages of a named access list are as follows:
•
Intuitively identify an ACL with an alphanumeric name
•
Eliminates the limit of 99 simple and 100 extended ACLs
•
Ability to modify ACLs without deleting and then reconfiguring them
It is important to note that a named access list will allow the deletion of statements but will only
allow for statements to be inserted at the end of a list.
The configuration of a named ACL is very similar to the configuration of a standard or
extended ACL. The first difference is that instead of starting the command with
access-list
the named ACL uses
ip access-list
:
rt1(config)#
ip access-list ?
extended Extended Access List
log-update Control access list log updates
logging Control access list logging
standard Standard Access List