Filter
Top Products
Configuring IP Services
Filtering IP Packets Using Access Lists
IPC-92
Cisco IOS IP Configuration Guide
To create an extended access list, use the following commands beginning in global configuration mode:
Note Autonomous switching is not used when you have extended access lists.
Note The fragments keyword is described in the Specifying IP Extended Access Lists with Fragment
Control section.
After you initially create an access list, you place any subsequent additions (possibly entered from the
terminal) at the end of the list. In other words, you cannot selectively add access list command lines to
a specific access list. However, you can use no permit and no deny commands to remove entries from
a named access list.
Step 1
Router(config)# ip access-list extended name
Defines an extended IP access list using a name and
enters extended named access list configuration
mode.
Step 2
Router(config-ext-nacl)# remark remark
Allows you to comment about the following deny or
permit statement in a named access list.
1
1. This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
Step 3
Router(config-ext-nacl)# deny | permit protocol
source source-wildcard destination
destination-wildcard [precedence precedence] [tos
tos] [established] [log | log-input] [time-range
time-range-name] [fragments]
or
Router(config-ext-nacl)# deny | permit protocol any
any [log | log-input] [time-range time-range-name]
[fragments]
or
Router(config-ext-nacl) deny | permit protocol host
source host destination [log | log-input]
[time-range time-range-name] [fragments]
or
Router(config-ext-nacl)# dynamic dynamic-name
[timeout minutes] {deny | permit} protocol source
source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [established] [log
| log-input] [time-range time-range-name]
[fragments]
In access-list configuration mode, specifies the
conditions allowed or denied. Specifies a time range
to restrict when the permit or deny statement is in
effect. Use the log keyword to get access list logging
messages, including violations. Use the log-input
keyword to include input interface, source MAC
address, or VC in the logging output.
or
Defines an extended IP access list using an
abbreviation for a source and source wildcard of
0.0.0.0 255.255.255.255, and an abbreviation for a
destination and destination wildcard of 0.0.0.0
255.255.255.255.
or
Defines an extended IP access list using an
abbreviation for a source and source wildcard of
source 0.0.0.0, and an abbreviation for a destination
and destination wildcard of destination 0.0.0.0.
or
Defines a dynamic access list.