ip access-list Command Options and Arguments (2023)

This tutorial explains how to create, apply, edit, update, manage, and delete a named and numbered standard and extended access list. Learn about the options, arguments, and parameters of the 'ip access-list' command.

You can create an access list in two styles: classic style and modern style. The classic style does not support the editing function. The modern style supports the editing function. If you use the classic style to create an ACL, you will be able to add it, but you will not be able to modify it. If you use the modern style to create an access list, you can add, edit, and modify it.

ip access-list Command Options and Arguments (1)

The classical style uses the'access list'domain. The modern style uses the'ip access list'domain.

I have already explained the parameters, options and arguments of the'access list'command in the previous part of this article. In this part, I will explain the parameters, options and arguments of the'ip access list'domain.

This tutorial is the eighth part of the article.'Cisco access lists explained with examples'.. Other parts of this article are as follows.

Definition, purposes, benefits and functions of ACL
Basic concepts and fundamentals of ACLs
How access lists work on Cisco routers
Explanation of the types of access control lists
Wildcard Masks in ACLs Explained
Configuration Rules and Guidelines for Cisco ACLs
Access control list explained with examples
Standard ACL Configuration Commands Explained
Configure Standard Access Control List Step by Step Guide
How to secure VTY access to the router
Extended ACL Configuration Commands Explained
Configure Extended Access Control List Step by Step Guide
How to block ICMP ping on Cisco routers

El comando 'ip access-list'

He'ip access list'command is a global configuration mode command. Use the following syntax.

Router(config)# ip access-list standard|extended ACL_name or number

IP access list:- This is the main command.

standard|extended:- This option specifies the type of ACL. To create a standard ACL, select the'standard'option. To create an extended ACL, use the'extended'option.

ACL_name or number:- This parameter specifies the number or name of the ACL. The router uses this number or name to group all statements. Instead of using a number, you should use a name here. A clear and descriptive name makes it easy to manage the ACL. For example, suppose you encounter an ACL 126. The number 126 says nothing about the ACL. But if you find an ACL with a name like'Block Sales', you can easily guess the purpose of the ACL.

Let's take some examples of this command.

The following command creates a standard ACL with the number34.

Router(config)# ip access-list standard 34
(Video) Options, Arguments, and Parameters of the access-list and the ip access-list commands Explained

The following command creates a standard ACL with the name'Block production'.

Router(config)# ip standard access list BlockProduction

The following command creates an extended ACL with the number136.

Router(config)# ip access-list extendida 136

The following command creates an extended ACL with the name'Allow HTTP traffic'.

Router(config)# ip lista de acceso extendida AllowHttpTraffic

When you press the Enter key after entering the name or number, the command prompt changes and enters ACL configuration mode. The command prompt depends on the value of the'standard|extended'option. If you have selected thestandardoption, you will get the following command prompt.

Enrutador (config-std-acl) #

If you have selected theextendedoption, you will get the following command prompt.

Enrutador (config-ext-acl) #

In ACL configuration mode, you create and manage declarations. The options available for creating statements depend on the ACL type. If you have selected the standard ACL, the following options will be available.

Router(config)# ip access-list standard ACL_nameRouter(config-std-acl)# permit|deny source_IP_address[wildcard_mask] [log]

If you have selected Extended ACL, the following options will be available.

Router(config)# ip access-list extended ACL_nameRouter(config-ext-acl)# permit|deny IP_protocolsource_IP_address wildcard_mask[protocol_information]destination_IP_address wildcard_mask[protocol_information] [log]

These options are the same options we get with the'access list'command. I have already explained these options in the previous part of this tutorial. Let's create some ACL examples.

The following code block creates a named extended ACL.

Router(config)# ip access-list extended SecureManagementRouter(config-ext-acl)# permit ip 172.15.0.0 0.0.255.255 172.16.0.0 0.0.255.255Router(config-ext-acl)# permit tcp any 172.16.0.0 0.0. 255.255 establecido logRouter (config-ext-acl) # permitir udp cualquier host 172.16.1.1 eq dns logRouter (config-ext-acl) # permitir tcp 172.17.0.0 0.0.255.255 host 176.16.1.2 eq telnet logRouter (config-ext-acl) )# permitir icmp any 176.16.0.0 0.0.255.255 echo-reply logRouter(config-ext-acl)# deny ip any any log
(Video) How to configure an as-path access-list to filter BGP AS numbers

The following code blocks create a named standard ACL.

Router(config)# ip access-list std SecureDevelopmentRouter(config-std-acl)# allow ip 192.168.1.0 0.0.0.255Router(config-std-acl)# deny ip any registration

ACL Activation

It doesn't matter if you use the'access list'command or the'ip access list'command to create an ACL, the process of activating the ACL is the same.

To activate an ACL, use the following commands.

Router(config)# tipo de interfaz [slot_#]port_#Router(config-if)# ip access-group ACL_# entrada|salida

We use the first command to enter interface mode. Specify the interface name and number as the argument to this command.

We use the second command to activate the ACL to the interface. Specify the ACL number or name and the address on which you want to activate the ACL.

The following commands activate theSafeManagementACL to interface FastEthernet 0/0 in the inside direction.

Router(config)# interface FastEthernet 0/0Router(config-if)# ip access-group SecureManagement en

ip access-list Command Options and Arguments (2)

The following commands activate theSecure DevelopmentACL to interface FastEthernet 0/1 in the outbound direction.

Router(config)# interface FastEthernet 0/1Router(config-if)# ip access-group SecureDevelopment out

ip access-list Command Options and Arguments (3)

ACL verification

Once you have created and activated your ACLs, you can use the following commands to verify their configuration and operation.

The 'show running configuration' command

This command shows all running configurations. You can use this command to view ACLs and the interfaces on which they are activated. The following code block shows the sample output of this command.

Router#Router#show running-configConfiguración del edificio...[Salida omitida]interfaz GigabitEthernet0/2dirección IP 30.0.0.1 255.0.0.0ip access-group 10 outaccess-list 10 deny 10.0.0.0 0.255.255.255access-list 10 allow 20.0. 0.0 0.255.255.255Enrutador final#

The above output shows that ACL 10 is applied to interface GigabitEthernet0/2 in the outbound direction and contains two declarations.

(Video) Configuring Standard Access Control Lists (S-ACLs)

The 'show access lists' command

This command displays all access lists and their parameters. It also shows statistics on how many times each statement matched a packet. This command does not show which ACL is applied to which interface.

Below is the example of the'show access lists'domain.

Router# show access-lists IP extended access list 100 allow tcp 172.16.0.0 0.0.255.255 any set (189 matches) allow udp host 172.16.1.39 any domain eq (32 matches) allow icmp host 172.16.0.0 any (67 matches) IP access standard list 1010 deny 10.0.0.0 0.255.255.255 (79 matches) 20 allow 20.0.0.0 0.255.255.255 (39 matches) IPX sap access list 1000 deny FFFFFFFF 7 allow FFFFFFFF 0

He'show access lists'The command displays all ACLs for all protocols. If you want to see only the ACLs for the IP protocol, use the'Show IP access lists'domain. Example output from this command is shown below.

Router# show ip access-lists IP extended access-list 100 allow tcp 172.16.0.0 0.0.255.255 any set (189 matches) allow udp host 172.16.1.39 any domain eq (32 matches) allow icmp host 172.16.0.0 any (67 matches) IP standard access list 1010 deny 10.0.0.0 0.255.255.255 (79 matches) 20 allow 20.0.0.0 0.255.255.255 (39 matches)

The above command shows all ACLs. To view only a particular ACL, use one of the following two commands:

Router# show access-lists ACL_number_or_nameOrRouter# show ip access-lists ACL_number_or_name

The following command displays the entries for ACL 10.

Router number show ip access-lists 10 Standard IP access-list 1010 deny 10.0.0.0 0.255.255.255 (79 matches) 20 allow 20.0.0.0 0.255.255.255 (39 matches)

Counter reset

To clear and reset the counter for an ACL, use the following command.

Router # clear access list counters [ACL_#_number_or_name]

The following command clears the ACL counter 20.

Router# clear access list counters 20

Identifying ACL Types

You can edit or update an ACL only if you used the'ip access list'command to create it. If you use the'ip access list'command to create an ACL, the router automatically adds a sequence number to each entry. Sequence numbers allow you to insert, edit, update, and delete statements in an existing ACL.

If you don't know which command was used to create an ACL, you can use the'show access lists'command. If you see sequence numbers in front of an ACL, the ACL was created using the command'ip access list'domain.

The following code block shows the sample output of this command.

Router# show access-listLista de acceso IP extendida 10110 host IP de permiso 192.168.101.69 any20 host IP de permiso 192.168.101.89 anyStandard IP access list 30deny 10.0.0.0 0.255.255.255permit 20.0.0.0 0.255.255.255
(Video) Complete tutorial on Cisco Access Control Lists for CCNA exam | All ACL topic Explained via Examples

As you can see in the output above, ACL 101 has sequence numbers and ACL 30 does not have sequence numbers. You can edit ACL 101 but you cannot edit ACL 30.

Editing/updating ACL entries

To edit or update an ACL, we need to enter ACL configuration mode. Once we enter ACL configuration mode, we can use the following command to remove an existing entry.

Router(config)# ip access-list {estándar|extendida} ACL_name_or_number#Router(config-{std|ext}-nacl)# sin secuencia_#

After deleting the existing entry, we can insert an updated entry in place of the existing entry. To insert the updated entry, we'll use the sequence number of the deleted entry.

To update an entry in the standard access list, use the following command.

Router(config)# ip access-list standard ACL_nameRouter(config-std-acl)# [secuencia no] permiso|denegar source_IP_address[wildcard_mask]

To update an entry in the extended access list, use the following command.

Router(config)# ip access-list extended ACL_nameRouter(config-ext-acl)# [secuencia no] permiso|denegar IP_protocolsource_IP_address wildcard_mask[protocol_information]destination_IP_address wildcard_mask[protocol_information] [log]

The following code block updates an entry [sequence no 20] and check the update.

Router#show access-listsLista de acceso IP extendida SecureManagment10 permiso ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.25520 permiso ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.25530 permiso IP 10.0.0.0 0.255.255.255 40.0.0.0 0.255 .255.255Router#configure terminalIngrese los comandos de configuración, uno por línea. Finalice con CNTL/Z.Router(config)#ip access-list extended SecureManagmentRouter(config-ext-nacl)# no 20Router(config-ext-nacl)#20 deny ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 Router(config-ext-nacl)#exitRouter(config)#exitRouter#show access-listsLista de acceso IP extendida SecureManagment10 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.25520 deny ip 10.0.0.0 0.255.255.255 20 .0.0.0 0.255 .255.25530 permiso ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255Router#

insert new entries

A router assigns sequence numbers in the block of10. For example, if you have three entries in an ACL, the router will assign them the sequence numbers 10, 20, and 30, respectively.

To insert a new entry, use a sequence number found between the entries. For example, if you want to insert a new entry between entries, those sequence numbers are 10 and 20, you can use any number between 11 and 19.

The following code block inserts a new instruction with the sequence number12in the ACLsecure management.

Router#show access-listsExtended IP access list SecureManagment10 permission ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.25520 permission ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.2 5530 permission IP 10.0.0.0 0.255.255.255 40.0.0.0 0.255 .255.255 Router#configure terminal Enter the configuration commands, one per line. End with CNTL/Z.Router(config)#ip access-list extended SecureManagmentRouter(config-ext-nacl)#12 deny ip 10.0.0.0 0.255.255.255 30.0.0.1 0.0.0.0Router(config-ext-nacl)#exitRouter (config)#exitRouter#show access-listsExtended IP access list SecureManagment10 allow ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.25512 deny ip 10.0.0.0 0.255.255.255 30.0.0.1 0. 0.0.020 permission ip 10.0.0.0 0.255. 255.255 30.0.0.0 0.255.255.25530 permission ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255Router#

Deleting an ACL

To remove an ACL, use the following command.

Router(config)# ip access-list {estándar|extendido} ACL_name_or_number#

The following code removes the ACL from SecureManagement.

(Video) TCP Established ACL - Advanced ACLs Part 1

Router(config)#no ip access-list extended SecureManagement

That's all for this tutorial. In the next tutorial, we'll take some practical examples of access lists.

FAQs

Ip access-list Command Options and Arguments? ›

You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates. Use the show access-lists EXEC command to display the contents of all access lists.

What does ip access-list command do? ›

You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates. Use the show access-lists EXEC command to display the contents of all access lists.

What is the command to add ip to access-list? ›

4. Type “ip access-list standard [name]”, where [name] is the name of the Access List you want to add a line to. For example, you would use the command "ip access-list standard List1" to edit an Access List named "List1." Press "Enter."

Which of the following options are used in standard access lists? ›

Solution(By Examveda Team) Standard IP access lists use the numbers 1-99 and 1300-1999 and filter based on source IP address only. Option C is incorrect because the mask must be in wildcard format.

What are the two types of ip access lists? ›

ACL Types: Standard and Extended.

Videos

1. Standard And Extended ACLs | Types of Access Control list #Ccna
(IP Core Networks)
2. ACL for IPv4 Configuration
(JuanIT)
3. Configuring Extended IPv4 ACLs: Numbered and Named
(Rick Graziani)
4. Configuring an IPv4 ACL on VTY (Telnet or SSH) Lines
(Tech Acad)
5. 11-IP Access Control List
(Ruijie Technical Support)
6. 4.1.4 Packet Tracer - ACL Demonstration
(Tech Acad)

References

Top Articles
Latest Posts
Article information

Author: Ms. Lucile Johns

Last Updated: 30/10/2023

Views: 6162

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Ms. Lucile Johns

Birthday: 1999-11-16

Address: Suite 237 56046 Walsh Coves, West Enid, VT 46557

Phone: +59115435987187

Job: Education Supervisor

Hobby: Genealogy, Stone skipping, Skydiving, Nordic skating, Couponing, Coloring, Gardening

Introduction: My name is Ms. Lucile Johns, I am a successful, friendly, friendly, homely, adventurous, handsome, delightful person who loves writing and wants to share my knowledge and understanding with you.