background image
Filtering IP Traffic 473
·
Named access lists allow individual statements to be deleted. Numbered lists allow for
deletion only of the entire list. Insertion of the new statement into a named list requires
deletion and re-addition of all statements that should be later in the list than the newly
added statement.
·
The actual names used must be unique across all named access lists of all protocols and
types on an individual router. Names can be duplicated on different routers.
The configuration syntax is very similar between named and numbered IP access lists. The
items that can be matched with a numbered standard IP access list are identical to the items that
can be matched with a named standard IP access list. Likewise, the items are identical with both
numbered and named extended IP access lists.
Two important differences exist between numbered and named access-lists. One key difference
is that named access lists use a global command, which moves the user into a named IP access
list submode, under which the matching and permit/deny logic is configured. The other key
difference is that when a named matching statement is deleted, only that one statement is
deleted. With numbered lists, the deletion of any statement in the list deletes all the statements
in the list. (This feature will be demonstrated in more detail in an upcoming example.)
Table 7-7 lists the key configuration commands and shows their differences and similarities.
*
These commands are subcommands of the previous command.
The word name represents a name created by the administrator. This name must be unique
among all named access lists of all types in this router. Also, note that because the named list
does not imply standard or extended by the value of the number of the list, the command
explicitly states the type of access list. Also, the . . . represents all the matching parameters,
which are identical in meaning and syntax when comparing the respective numbered and named
IP access lists. Also note that the same command is used to enable the list on an interface for
both numbered and named lists.
Table 7-7
Comparison of Named and Numbered IP Access List Configuration Commands
Numbered
Named
Commands for matching
packets: standard IP ACLs
access-list 1-99 permit |
deny . . .
ip access-list standard name
*permit | deny . . .
Commands for matching
packets: extended IP ACLs
access-list 100-199 permit |
deny . . .
ip access-list extended name
*permit | deny . . .
Commands for enabling ACLs
ip access-group 1-99 in | out
ip access-group name in | out
Commands for enabling ACLs
ip access-group 100-199 in | out
ip access-group name in | out
ch07.fm Page 473 Monday, March 20, 2000 5:14 PM