Whether you are creating a standard or
extended access list, you need to complete the following tasks:
- Create an access list in global configuration mode by
specifying an access-list number and access conditions.
- Define a standard IP access list using a source address and
wildcard.
- Define an extended access list using source and destination
addresses, as well as optional protocol-type information for
finer granularity of control.
- Apply the access list to traffic transiting an interface or terminal
line.
After an access list is created, you can apply it to one or more
interfaces. Access lists can be applied against either outbound or
inbound traffic.
Standard Access-List Commands
There are two access list commands:
- access-list
- ip access-group
The access-list
Command
Use the access-list command
to create an entry in a standard traffic filter list (numbered 1–99).
access-list access-list-number
{permit | deny} source
[source-wildcard] any
IP access-group Command
Use the ip access-group
command
to link an existing access list to the traffic flowing through an interface. Each interface may
have both an inbound and an outbound access list. The lines are
associated with each other by the access list number forming the
access list.
The lines are maintained in the configuration file in order of
entry. New lines are always appended to the bottom of the list,
meaning that it is not possible to insert or remove lines from the
access list. Therefore, you may want to configure your access lists
using a separate text editor rather than through the router
interface. You will, however, want to know how to use the router
interface for access-list configuration in an emergency, such as
during fault isolation, where you identify the source of a
communication problem. Therefore, you may want to configure your
access lists using a text editor on a separate device and download
it to the router rather than configuring directly through the router
interface.
You can eliminate the entire list by typing no
access-list access-list-number, or you can unapply the list by
typing the no ip access-group access-list-number
command. The list is applied to an interface by referring to the
access-list number in the ip access-group interface configuration
command. The in keyword configures the access list for
inbound traffic, and the out keyword is used for outbound
traffic. It is highly recommended that you include notes and code
this parameter for clarity. (The default for Cisco IOS Release 11.0
is out.)
An interface can have one access list active per network-layer
protocol per direction. For example, the interface can have one
input and one output IP access list, either standard or extended,
one IPX access list, one AppleTalk access list, and so on.
A single access list may be applied to more than one interface at
a time. More than one interface can be included in the group
described by the ip access-group command. All designated
interfaces in the group will permit or deny packets based on tests
in the access-list statements.
ip access-group access-list-number {in | out}
|