Filter
Top Products
Configuring IP Services
Filtering IP Packets Using Access Lists
IPC-89
Cisco IOS IP Configuration Guide
To create a standard access list, use the following commands in global configuration mode:
The Cisco IOS software can provide logging messages about packets permitted or denied by a standard
IP access list. That is, any packet that matches the access list will cause an informational logging
message about the packet to be sent to the console. The level of messages logged to the console is
controlled by the logging console global configuration command.
The first packet that triggers the access list causes an immediate logging message, and subsequent
packets are collected over 5-minute intervals before they are displayed or logged. The logging message
includes the access list number, whether the packet was permitted or denied, the source IP address of the
packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
However, you can use the ip access-list log-update command to set the number of packets that, when
match an access list (and are permitted or denied), cause the system to generate a log message. You might
want to do this to receive log messages more frequently than at 5-minute intervals.
Caution If you set the number-of-matches argument to 1, a log message is sent right away, rather than caching
it; every packet that matches an access list causes a log message. A setting of 1 is not recommended
because the volume of log messages could overwhelm the system.
Even if you use the ip access-list log-update command, the 5-minute timer remains in effect, so each
cache is emptied at the end of 5 minutes, regardless of the count of messages in each cache. Regardless
of when the log message is sent, the cache is flushed and the count reset to 0 for that message the same
way it is when a threshold is not specified.
Note The logging facility might drop some logging message packets if there are too many to be handled
or if there is more than one logging message to be handled in 1 second. This behavior prevents the
router from crashing due to too many logging packets. Therefore, the logging facility should not be
used as a billing tool or an accurate source of the number of matches to an access list.
Note If you enable CEF and then create an access list that uses the log keyword, the packets that match the
access list are not CEF switched. They are fast switched. Logging disables CEF.
For an example of a standard IP access list using logs, see the section “Numbered Access List Examples”
at the end of this chapter.
Command Purpose
Step 1
Router(config)# access-list access-list-number remark
remark
Indicates the purpose of the deny or permit
statement.
1
1. This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
Step 2
Router(config)# access-list access-list-number {deny |
permit} source [source-wildcard] [log]
or
Router(config)# access-list access-list-number {deny |
permit} any [log]
Defines a standard IP access list using a source
address and wildcard.
Defines a standard IP access list using an
abbreviation for the source and source mask of
0.0.0.0 255.255.255.255.