IPC-90

Configuring IP Services

Filtering IP Packets Using Access Lists

To create an extended access list, use the following commands in global configuration mode:

	Command	Purpose
Step 1
Step 1	Router(config)# access-listaccess-list-number	Indicates the purpose of the deny or permit
	remark remark	statement.1
Step 2	Router(config)# access-listaccess-list-number {deny	Defines an extended IP access list number and the
	permit} protocol source source-wildcard	access conditions. Specifies a time range to restrict
	destination destination-wildcard [precedence	when the permit or deny statement is in effect. Use
	precedence] [tos tos] [established] [log	when the permit or deny statement is in effect. Use
	precedence] [tos tos] [established] [log	the log keyword to get access list logging messages,
	log-input][time-range time-range-name] [fragments]	the log keyword to get access list logging messages,
	log-input][time-range time-range-name] [fragments]	including violations. Use the log-inputkeyword to
		including violations. Use the log-inputkeyword to
		include input interface, source MAC address, or VC
		in the logging output.
	or	or
	or
	Router(config)# access-listaccess-list-number {deny	Defines an extended IP access list using an
	Router(config)# access-listaccess-list-number {deny	abbreviation for a source and source wildcard of
	permit} protocol any any [log log-input]	abbreviation for a source and source wildcard of
	[time-range time-range-name] [fragments]	0.0.0.0 255.255.255.255, and an abbreviation for a
		destination and destination wildcard of 0.0.0.0
		255.255.255.255.
	or	or
		or
	Router(config)# access-listaccess-list-number {deny	Defines an extended IP access list using an
	permit} protocol host source host destination [log	Defines an extended IP access list using an
	permit} protocol host source host destination [log	abbreviation for a source and source wildcard of
	log-input][time-range time-range-name][fragments]	abbreviation for a source and source wildcard of
	log-input][time-range time-range-name][fragments]	source 0.0.0.0, and an abbreviation for a destination
		source 0.0.0.0, and an abbreviation for a destination
		and destination wildcard of destination 0.0.0.0.
	or	or
		or
	Router(config)# access-listaccess-list-number	Defines a dynamic access list. For information about
	Router(config)# access-listaccess-list-number	lock-and-key access, refer to the “Configuring Traffic
	[dynamic dynamic-name[timeout minutes]] {deny	lock-and-key access, refer to the “Configuring Traffic
	[dynamic dynamic-name[timeout minutes]] {deny	Filters” chapter in the Cisco IOS Security
	permit} protocol source source-wildcard destination	Filters” chapter in the Cisco IOS Security
	destination-wildcard [precedence precedence] [tos	Configuration Guide.
	tos] [established] [log log-input][time-range
	time-range-name] [fragments]

1. This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.

Note The fragments keyword is described in the Specifying IP Extended Access Lists with Fragment Control section.

After you create an access list, you place any subsequent additions (possibly entered from the terminal) at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.

Note When creating an access list, remember that, by default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end.

Cisco IOS IP Configuration Guide

Cisco Systems 78-11741-02 manual IPC-90

Models: 78-11741-02

Command

Filters” chapter in the Cisco IOS Security

Configuration Guide.

tos] [established] [log log-input][time-range