A Named ACL is created with the ip access-list command and then applied to the interface using the access-group command. Named ACL syntax and description are shown below


Ciscoasa(config)# ip access-list {standard|extended} access-list-name


[sequence-number] {deny|permit} source [source- wildcard]



Ciscoasa(config-ext-nacl)# [sequence-number] {deny|permit} protocol source source-wildcard destination

  destination-wildcard [log]



Syntax Description 





Specifies a standard IP access list.





Specifies an extended IP access list.





Identifies an access list by the name. Also allows the creation and separation of multiple access lists.






Allows addition, removal and resequencing of individual access-control entries within the ACL.






Denies access if the conditions are matched.





Permits access if the conditions are matched.





Name or Number of an Internet Protocol such IP, TCP, UDP, EIGRP, OSPF etc






Specifies the IP address/network to match on the source IP address of the Packet. Use the any keyword as an abbreviation for a source and source-wildcard of






(Optional) Wildcard bits to be applied to the source






Specifies the IP address/network to match on the destination IP address of the Packet. Use the any keyword as an abbreviation for a destination and destination-wildcard of






(Optional) Wildcard bits to be applied to the destination





Causes an informational logging message about the packet that matches the entry to be sent to the console.





(Optional) Includes the input interface and source MAC address or VC in the logging output.


When we create a Named ACL using the ip access-list command the Cisco IOS will place the the CLI in access-list configuration mode, where we can define the denied or permitted access conditions with the deny and permit commands. The optional sequence-number keyword lets us add, delete or resequence specific entries in the ACL.

As mentioned previously Named ACLs were introduced in Cisco IOS to add flexibility and easier management of ACLs. Named ACLs can either standard or extended and the functionality remains the same.

Configuration Examples

We will use Named ACLs for the configuration examples we covered in our previous articles on Standard and Extended ACLs to demonstrate the fact that Named ACLs are only configuration enhancement and the actual ACL operation remains the same.

For example when we need to block an incoming telnet session from a host we can create a standard Named ACL and apply it to the vty lines as shown below

R1(config)# ip access-list standard TELNET

R1(config-std-nacl)# deny

R1(config-std-nacl)# permit any

R1(config)# line vty 0 4

R1(config)# access-class TELNET in


Similarly we can use an Extended Named ACL to deny traffic from a particular host accessing a particular host using a specific protocol.

R1(config)# ip access-list extended DENY_HOST_FTP

R1(config ext-nacl)# deny tcp host host eq FTP

R1(config ext-nacl)# permit ip any any

R1(config)# interface ethernet0/0

R1(config)# access-group DENY_HOST_FTP in


This brings us to the end of this lesson in which we covered Named ACLs, it is very important that we both have the theoretical and practical knowledge of ACLs to master the topic.