Configuring IP Services

Filtering IP Packets Using Access Lists

To create an extended access list, use the following commands in global configuration mode:

 

Command

Purpose

Step 1

 

 

Router(config)# access-listaccess-list-number

Indicates the purpose of the deny or permit

 

remark remark

statement.1

Step 2

Router(config)# access-listaccess-list-number {deny

Defines an extended IP access list number and the

 

permit} protocol source source-wildcard

access conditions. Specifies a time range to restrict

 

destination destination-wildcard [precedence

when the permit or deny statement is in effect. Use

 

precedence] [tos tos] [established] [log

 

the log keyword to get access list logging messages,

 

log-input][time-range time-range-name] [fragments]

 

including violations. Use the log-inputkeyword to

 

 

 

 

include input interface, source MAC address, or VC

 

 

in the logging output.

 

or

or

 

 

 

Router(config)# access-listaccess-list-number {deny

Defines an extended IP access list using an

 

abbreviation for a source and source wildcard of

 

permit} protocol any any [log log-input]

 

[time-range time-range-name] [fragments]

0.0.0.0 255.255.255.255, and an abbreviation for a

 

 

destination and destination wildcard of 0.0.0.0

 

 

255.255.255.255.

 

or

or

 

 

 

Router(config)# access-listaccess-list-number {deny

Defines an extended IP access list using an

 

permit} protocol host source host destination [log

 

abbreviation for a source and source wildcard of

 

log-input][time-range time-range-name][fragments]

 

source 0.0.0.0, and an abbreviation for a destination

 

 

 

 

and destination wildcard of destination 0.0.0.0.

 

or

or

 

 

 

Router(config)# access-listaccess-list-number

Defines a dynamic access list. For information about

 

lock-and-key access, refer to the “Configuring Traffic

 

[dynamic dynamic-name[timeout minutes]] {deny

 

Filters” chapter in the Cisco IOS Security

 

permit} protocol source source-wildcard destination

 

destination-wildcard [precedence precedence] [tos

Configuration Guide.

 

tos] [established] [log log-input][time-range

 

 

time-range-name] [fragments]

 

 

 

 

1. This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.

Note The fragments keyword is described in the Specifying IP Extended Access Lists with Fragment Control section.

After you create an access list, you place any subsequent additions (possibly entered from the terminal) at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.

Note When creating an access list, remember that, by default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end.

Cisco IOS IP Configuration Guide

IPC-90

Page 136
Image 136
Cisco Systems 78-11741-02 manual IPC-90