Filter
Top Products
Configuring IP Services
Filtering IP Packets Using Access Lists
IPC-88
Cisco IOS IP Configuration Guide
2. Apply the access list to interfaces or terminal lines.
These and other tasks are described in this section and are labeled as required or optional. Either the first
or second task is required, depending on whether you identify your access list with a number or a name.
• Creating Standard and Extended Access Lists Using Numbers (Required)
• Creating Standard and Extended Access Lists Using Names (Required)
• Specifying IP Extended Access Lists with Fragment Control (Optional)
• Enabling Turbo Access Control Lists (Optional)
• Applying Time Ranges to Access Lists (Optional)
• Including Comments About Entries in Access Lists (Optional)
• Applying Access Lists (Required)
Creating Standard and Extended Access Lists Using Numbers
Cisco IOS software supports the following types of access lists for IP:
• Standard IP access lists that use source addresses for matching operations.
• Extended IP access lists that use source and destination addresses for matching operations, and
optional protocol type information for finer granularity of control.
• Dynamic extended IP access lists that grant access per user to a specific source or destination host
basis through a user authentication process. In essence, you can allow user access through a firewall
dynamically, without compromising security restrictions. Dynamic access lists and lock-and-key
access are described in the “Configuring Traffic Filters” chapter of the Cisco IOS Security
Configuration Guide.
• Reflexive access lists that allow IP packets to be filtered based on session information. Reflexive
access lists contain temporary entries, and are nested within an extended, named IP access list. For
information on reflexive access lists, refer to the “Configuring IP Session Filtering (Reflexive
Access Lists)” chapter in the Cisco IOS Security Configuration Guide and the “Reflexive Access
List Commands” chapter in the Cisco IOS Security Command Reference.
Note Release 11.1 introduced substantial changes to IP access lists. These extensions are backward
compatible; migrating from a release earlier than Release 11.1 to the current release will convert your
access lists automatically. However, the current implementation of access lists is incompatible with
Cisco IOS Release 11.1 or earlier. If you create an access list using the current Cisco IOS release and
then load older Cisco IOS software, the resulting access list will not be interpreted correctly. This
condition could cause you severe security problems. Save your old configuration file before booting
Release 11.1 or earlier images.