10.2 Configuring IP Standard Access Lists
10.2.5 Access list configuration tasks
Whether you are creating a standard or extended access list, you need to complete the following tasks:
  1. Create an access list in global configuration mode by specifying an access-list number and access conditions.
  2. Define a standard IP access list using a source address and wildcard.
  3. Define an extended access list using source and destination addresses, as well as optional protocol-type information for finer granularity of control.
  4. Apply the access list to traffic transiting an interface or terminal line.

    After an access list is created, you can apply it to one or more interfaces. Access lists can be applied against either outbound or inbound traffic.

Standard Access-List Commands

There are two access list commands:

  • access-list
  • ip access-group

The access-list Command

Use the access-list command to create an entry in a standard traffic filter list (numbered 1–99).

access-list access-list-number  {permit | deny} source [source-wildcard] any

IP access-group Command

Use the ip access-group command to link an existing access list to the traffic flowing through an interface. Each interface may have both an inbound and an outbound access list. The lines are associated with each other by the access list number forming the access list.

The lines are maintained in the configuration file in order of entry. New lines are always appended to the bottom of the list, meaning that it is not possible to insert or remove lines from the access list. Therefore, you may want to configure your access lists using a separate text editor rather than through the router interface. You will, however, want to know how to use the router interface for access-list configuration in an emergency, such as during fault isolation, where you identify the source of a communication problem. Therefore, you may want to configure your access lists using a text editor on a separate device and download it to the router rather than configuring directly through the router interface.

You can eliminate the entire list by typing no access-list access-list-number, or you can unapply the list by typing the no ip access-group access-list-number command. The list is applied to an interface by referring to the access-list number in the ip access-group interface configuration command. The in keyword configures the access list for inbound traffic, and the out keyword is used for outbound traffic. It is highly recommended that you include notes and code this parameter for clarity. (The default for Cisco IOS Release 11.0 is out.)

An interface can have one access list active per network-layer protocol per direction. For example, the interface can have one input and one output IP access list, either standard or extended, one IPX access list, one AppleTalk access list, and so on.

A single access list may be applied to more than one interface at a time. More than one interface can be included in the group described by the ip access-group command. All designated interfaces in the group will permit or deny packets based on tests in the access-list statements.

ip access-group access-list-number {in | out}