Filter
Top Products
General Security Commands
16-84 Configuring Security
General Security Commands
access-list (extended)
ThiscommanddefinesanextendedIPAccessList(ACL)bynumberrangingfrom100to199.You
canrestrictorallowthefollowingtraffic:
•IP(AnyInternetProtocol)
•TCP(TransmissionProtocol)
•UDP(UserDatagramProtocol)
•ICMP(InternetControlMessageProtocol)
•ESP(EncapsulationSecurityPayload)
•GRE(GenericRouterEncapsulation)protocol
•AH(Authentication Header)protocol
Newand
existingACLentriescanbeadded/replacedinaparticularACLwithoutyouhavingto
rewritetheentireACLbyusingtheinsert/replacenumberparameters.Ifneithertheinsertnorthe
replaceoptionisspecified,thenthenewentryisappendedtothelist.ThisisnoteworthysinceACL
criteria
areevaluatedintheorderdisplayedbytheshow access-listcommand.
ApplyrestrictionsdefinedbyanACLwith
ip access-groupcommand.
Syntax
access-list list# {insert | replace} entry# {deny | permit}{protocol}|{log}
{srcIpAddr [srcWildCardBits]| [qualifier] | source-port |
host srcIpAddr | any} range min-sport | max-sport
{dstIpAddr [dstWildCardBits]| [qualifier]|destn-port |
host dstIpAddr | any}[established]
range min-dprt | max-dprt
type [code]
list#
ExtendedACLnumber,rangingfrom100‐199.
insert
Newaccessentryisinsertedbeforeexistingentry#intheexistingACL.The
show access-listcommandfromwithinGlobalmodesequentially
numbersentriesforthispurpose.
replace
Newaccessentryreplacesanentry#intheexistingACL(theentry#must
alreadyexist.)
entry#
Entry’slistnumberwithintheACL.Nonumberisrequiredforfirstentry.
deny
Accessisdeniedifspecifiedconditionsaremet.
permit
Accessispermittedifconditionsmet.
protocol
SpecifiestheIPprotocol:IP,TCP,UDP,ICMP,ESP,GRE,orAH.IP
representsanyprotocol.
log
EnablesalarmloggingandreportingofsourceIPaddressesforconfigured
ACLentries.
srcIPAddr
ThesourceexpressedbyIPaddress.