Command
IP Access-list
Use
This command is used to create named access-lists that matches packets on a given criteria. While access-lists are most commonly associated with security, there are numerous uses.
The benefit to named access-list is that you can assign a logical name and also reorder the access-list as needed. A little known fact is that you can also re-order numbered access-lists using this command.
Syntax
R1(config)#ip access-list <standard or extended> <name>
Options
The options are the same as regular numbered access-lists.
Wildcard Masks
Wildcard masks are how access-lists know what networks apply to the list. They are the inverse of the subnet mask.
For example, network 123.123.123.0 0.0.0.255 would match any ip address in the 123.123.123.0/24 network.
Because a /24 mask is 255.255.255.0 the inverse would be 0.0.0.255. For the network 34.77.108.0/28, the subnet mask would be 255.255.255.248 and the inverse would be 0.0.0.7
Notice how the subnet mask and the inverse add to 255.
Example
In this example, an access-list is created on R2 that will only deny packets sourced by the host 1.1.1.1 and apply the list to Fa0/0.
R2(config)#ip access-list standard NO_R1_LOOP |
Notice that only 1.1.1.1 is denied.
R1(config)#do ping 10.1.1.2 source 1.1.1.1 Type escape sequence to abort. Type escape sequence to abort. Type escape sequence to abort. |
In this example, the named access-list is modified to deny anything in the 1.0.0.0/8 network, instead of the host 1.1.1.1.
R2(config)#do show ip access-list NO_R1_LOOP R2(config)#ip access-list standard NO_R1_LOOP R2(config-std-nacl)#10 deny 1.0.0.0 0.255.255.255 |
For the next example, the access-list 95 is edited to deny anything in the 1.0.0.0/8 network instead of the host 1.1.1.1.
R2(config)#ip access-list standard 95 R2(config-std-nacl)#10 deny 1.0.0.0 0.255.255.255 |