Configuring named ACLs

Just like the numbered ACLs we’ve used so far, named ACLs allow you to filter network traffic according to various criteria. However, they have the following benefits over numbered ACLs:

  • an ALC can be assigned a meaningful name (e.g. filter_traffic_to_server)
  • ACL subcommands are used in the ACL configuration mode, and not in the global configuration mode as with numbered ACLs
  • you can reorder statements in a named access list using sequence numbers

Just like numbered ACLs, named ACLs can be of two types: standard and extended.

The named ACL name and type is defined using the following syntax:

(config) ip access-list STANDARD|EXTENDED NAME

The command above moves you to the ACL configuration mode, where you can configure the permit and deny statements. Just like with numbered ACLs, named ACLs ends with the implicit deny statement, so any traffic not explicitly permitted will be forbidden.

We will use the following network in our configuration example:

Configuring named ACL Cisco

We want to deny the user’s workstation ( any type of access to the Domain server ( We also want to enable the user unrestricted access to the File share (

First, we will create and name our ACL:

R1(config)#ip access-list extended allow_traffic_fileshare

Once inside the ACL config mode, we need to create a statement that will deny the user’s workstation access to the Domain server:

R1(config-ext-nacl)#20 deny ip

The number 20 represents the line in which we want to place this entry in the ACL. This allows us to reorder statements later if needed.

Now, we will execute a statement that will permit the workstation access to the File share:

R1(config-ext-nacl)#50 permit ip

Lastly, we need to apply the access list to the Gi0/0 interface on R1:

R1(config)#int Gi0/0
R1(config-if)#ip access-group allow_traffic_fileshare in

The commands above will force the router to evaluate all packets trying to enter Gi0/0. If the workstation tries to access the Domain server, the traffic will be forbidden because of the first ACL statement. However. if the user tries to access the File server, the traffic will be allowed, because of the second statement.

Our named ACL configuration looks like this:

R1#show ip access-lists 
Extended IP access list allow_traffic_fileshare
    20 deny ip host host
    50 permit ip host host

Notice the sequence number at the beginning of each entry. If we need to stick a new entry between these two entries, we can do that by specifying a sequence number in the range between 20 and 50. If we don’t specify the sequence number, the entry will be added to the bottom of the list.

We can use the ping command on the workstation to verify the traffic is being blocked properly:


Pinging with 32 bytes of data:

Reply from Destination host unreachable.
Reply from Destination host unreachable.
Reply from Destination host unreachable.
Reply from Destination host unreachable.

Ping statistics for
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),



Pinging with 32 bytes of data:

Reply from bytes=32 time<1ms TTL=127
Reply from bytes=32 time<1ms TTL=127
Reply from bytes=32 time<1ms TTL=127
Reply from bytes=32 time<1ms TTL=127

Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

As you can see from the ping output above, the traffic is being filtered properly.

Prerequisites for 200-301

200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.

The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.

Full Version 200-301 Dumps

Try 200-301 Dumps Demo