General Security Commands
16-84 Configuring Security

General Security Commands

access-list (extended)

ThiscommanddefinesanextendedIPAccessList(ACL)bynumberrangingfrom100to199.You
canrestrictorallowthefollowingtraffic:
•IP(AnyInternetProtocol)
•TCP(TransmissionProtocol)
•UDP(UserDatagramProtocol)
•ICMP(InternetControlMessageProtocol)
•ESP(EncapsulationSecurityPayload)
•GRE(GenericRouterEncapsulation)protocol
•AH(AuthenticationHeader)protocol
NewandexistingACLentriescanbeadded/replacedinaparticularACLwithoutyouhavingto
rewritetheentireACLbyusingtheinsert/replacenumberparameters.Ifneithertheinsertnorthe
replaceoptionisspecified,thenthenewentryisappendedtothelist.ThisisnoteworthysinceACL
criteriaareevaluatedintheorderdisplayedbytheshow access-listcommand.
ApplyrestrictionsdefinedbyanACLwithip access-groupcommand.
Syntax
access-list list# {insert | replace} entry# {deny | permit}{protocol}|{log}
{srcIpAddr [srcWildCardBits]| [qualifier] | source-port |
host srcIpAddr | any}range min-sport | max-sport
{dstIpAddr [dstWildCardBits]| [qualifier]|destn-port |
host dstIpAddr | any}[established]
range min-dprt | max-dprt
type [code]
list# ExtendedACLnumber,rangingfrom100‐199.
insert Newaccessentryisinsertedbeforeexistingentry#intheexistingACL.The
show access-listcommandfromwithinGlobalmodesequentially
numbersentriesforthispurpose.
replace Newaccessentryreplacesanentry#intheexistingACL(theentry#must
alreadyexist.)
entry# Entry’slistnumberwithintheACL.Nonumberisrequiredforfirstentry.
deny Accessisdeniedifspecifiedconditionsaremet.
permit Accessispermittedifconditionsmet.
protocol SpecifiestheIPprotocol:IP,TCP,UDP,ICMP,ESP,GRE,orAH.IP
representsanyprotocol.
log EnablesalarmloggingandreportingofsourceIPaddressesforconfigured
ACLentries.
srcIPAddr ThesourceexpressedbyIPaddress.