Filter
Top Products
Configuring IP Services
Filtering IP Packets Using Access Lists
IPC-90
Cisco IOS IP Configuration Guide
To create an extended access list, use the following commands in global configuration mode:
Note The fragments keyword is described in the Specifying IP Extended Access Lists with Fragment
Control section.
After you create an access list, you place any subsequent additions (possibly entered from the terminal)
at the end of the list. In other words, you cannot selectively add or remove access list command lines
from a specific access list.
Note When creating an access list, remember that, by default, the end of the access list contains an implicit
deny statement for everything if it did not find a match before reaching the end.
Command Purpose
Step 1
Router(config)# access-list access-list-number
remark remark
Indicates the purpose of the deny or permit
statement.
1
1. This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
Step 2
Router(config)# access-list access-list-number {deny
| permit} protocol source source-wildcard
destination destination-wildcard [precedence
precedence] [tos tos] [established] [log |
log-input] [time-range time-range-name] [fragments]
or
Router(config)# access-list access-list-number {deny
| permit} protocol any any [log | log-input]
[time-range time-range-name] [fragments]
or
Router(config)# access-list access-list-number {deny
| permit} protocol host source host destination [log
| log-input] [time-range time-range-name][fragments]
or
Router(config)# access-list access-list-number
[dynamic dynamic-name [timeout minutes]] {deny |
permit} protocol source source-wildcard destination
destination-wildcard [precedence precedence] [tos
tos] [established] [log | log-input] [time-range
time-range-name] [fragments]
Defines an extended IP access list number and the
access conditions. Specifies a time range to restrict
when the permit or deny statement is in effect. Use
the log keyword to get access list logging messages,
including violations. Use the log-input keyword to
include input interface, source MAC address, or VC
in the logging output.
or
Defines an extended IP access list using an
abbreviation for a source and source wildcard of
0.0.0.0 255.255.255.255, and an abbreviation for a
destination and destination wildcard of 0.0.0.0
255.255.255.255.
or
Defines an extended IP access list using an
abbreviation for a source and source wildcard of
source 0.0.0.0, and an abbreviation for a destination
and destination wildcard of destination 0.0.0.0.
or
Defines a dynamic access list. For information about
lock-and-key access, refer to the “Configuring Traffic
Filters” chapter in the Cisco IOS Security
Configuration Guide.