IPC-92

Configuring IP Services

Filtering IP Packets Using Access Lists

To create an extended access list, use the following commands beginning in global configuration mode:

Step 1	Router(config)# ip access-list extended name	Defines an extended IP access list using a name and
		enters extended named access list configuration
		mode.

Step 2	Router(config-ext-nacl)# remark remark	Allows you to comment about the following deny or
		permit statement in a named access list.1
Step 3	Router(config-ext-nacl)# deny permit protocol	In access-list configuration mode, specifies the
	source source-wildcard destination	conditions allowed or denied. Specifies a time range
	destination-wildcard [precedence precedence] [tos	to restrict when the permit or deny statement is in
	tos] [established] [log log-input][time-range	to restrict when the permit or deny statement is in
	tos] [established] [log log-input][time-range	effect. Use the log keyword to get access list logging
	time-range-name] [fragments]	effect. Use the log keyword to get access list logging
	time-range-name] [fragments]	messages, including violations. Use the log-input
		messages, including violations. Use the log-input
		keyword to include input interface, source MAC
		address, or VC in the logging output.
	or	or
	Router(config-ext-nacl)# deny permit protocol any	Defines an extended IP access list using an
	any [log log-input][time-range time-range-name]	abbreviation for a source and source wildcard of
	[fragments]	0.0.0.0 255.255.255.255, and an abbreviation for a
		0.0.0.0 255.255.255.255, and an abbreviation for a
		destination and destination wildcard of 0.0.0.0
		255.255.255.255.
	or	or
		or
	Router(config-ext-nacl) deny permit protocol host	Defines an extended IP access list using an
	source host destination [log log-input]	Defines an extended IP access list using an
	source host destination [log log-input]	abbreviation for a source and source wildcard of
	[time-range time-range-name] [fragments]	abbreviation for a source and source wildcard of
	[time-range time-range-name] [fragments]	source 0.0.0.0, and an abbreviation for a destination
		source 0.0.0.0, and an abbreviation for a destination
		and destination wildcard of destination 0.0.0.0.
	or	or
	or
	Router(config-ext-nacl)# dynamic dynamic-name	Defines a dynamic access list.
	[timeout minutes] {deny permit} protocol source
	source-wildcard destination destination-wildcard
	[precedence precedence] [tos tos] [established] [log
	log-input][time-range time-range-name]
	[fragments]

1. This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.

Note Autonomous switching is not used when you have extended access lists.

Note The fragments keyword is described in the Specifying IP Extended Access Lists with Fragment Control section.

After you initially create an access list, you place any subsequent additions (possibly entered from the terminal) at the end of the list. In other words, you cannot selectively add access list command lines to a specific access list. However, you can use no permit and no deny commands to remove entries from a named access list.

Cisco IOS IP Configuration Guide

Cisco Systems 78-11741-02 manual IPC-92

Models: 78-11741-02

Defines a dynamic access list.

log-input][time-range time-range-name]

[fragments]