IPC-89

Configuring IP Services

Filtering IP Packets Using Access Lists

To create a standard access list, use the following commands in global configuration mode:

	Command			Purpose
Step 1
Step 1	Router(config)# access-listaccess-list-number remark			Indicates the purpose of the deny or permit
	remark			statement.1
Step 2	Router(config)# access-listaccess-list-number {deny			Defines a standard IP access list using a source
	permit} source [source-wildcard] [log]			address and wildcard.
	or
	Router(config)# access-listaccess-list-number {deny			Defines a standard IP access list using an
	permit} any [log]			abbreviation for the source and source mask of
				abbreviation for the source and source mask of
				0.0.0.0 255.255.255.255.

	1. This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
			The Cisco IOS software can provide logging messages about packets permitted or denied by a standard
			IP access list. That is, any packet that matches the access list will cause an informational logging
			message about the packet to be sent to the console. The level of messages logged to the console is
			controlled by the logging console global configuration command.
			The first packet that triggers the access list causes an immediate logging message, and subsequent
			packets are collected over 5-minute intervals before they are displayed or logged. The logging message
			includes the access list number, whether the packet was permitted or denied, the source IP address of the
			packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
			However, you can use the ip access-listlog-updatecommand to set the number of packets that, when
			match an access list (and are permitted or denied), cause the system to generate a log message. You might
			want to do this to receive log messages more frequently than at 5-minute intervals.

	Caution		If you set the number-of-matchesargument to 1, a log message is sent right away, rather than caching
			it; every packet that matches an access list causes a log message. A setting of 1 is not recommended
			because the volume of log messages could overwhelm the system.

			Even if you use the ip access-listlog-updatecommand, the 5-minute timer remains in effect, so each
			cache is emptied at the end of 5 minutes, regardless of the count of messages in each cache. Regardless
			of when the log message is sent, the cache is flushed and the count reset to 0 for that message the same
			way it is when a threshold is not specified.

		Note	The logging facility might drop some logging message packets if there are too many to be handled
			or if there is more than one logging message to be handled in 1 second. This behavior prevents the
			router from crashing due to too many logging packets. Therefore, the logging facility should not be
			used as a billing tool or an accurate source of the number of matches to an access list.


		Note	If you enable CEF and then create an access list that uses the log keyword, the packets that match the
			access list are not CEF switched. They are fast switched. Logging disables CEF.

For an example of a standard IP access list using logs, see the section “Numbered Access List Examples” at the end of this chapter.

Cisco IOS IP Configuration Guide

Cisco Systems 78-11741-02 manual IPC-89

Models: 78-11741-02

Command

0.0.0.0 255.255.255.255.