To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command.
access-list access-list-number {deny | permit } source [source-wildcard] [log ]
no access-list access-list-number
 | Caution Enhancements to this command are backward compatible; migrating from releases prior to Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This could cause you severe security problems . Save your old configuration file before booting these images. |
access-list-number Number of an access list. This is a decimal number from 1 to 99 or from 1300 to 1999.
deny Denies access if the conditions are matched.
permit Permits access if the conditions are matched.
source Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:
Use a 32-bit quantity in four-part, dotted-decimal format.
Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
source-wildcard (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:
Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.
Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the loggingconsole command.)
The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
The access list defaults to an implicitdeny statement for everything. The access list is always terminated by an implicit deny statement for everything.
Global configuration
| Release | Modification | 10.3 | This command was introduced. |
11.3(3)T | The log keyword was added. |
|---|
Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.
You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates.
Use theshow access-lists EXEC command to display the contents of all access lists.
Use theshow ip access-list EXEC command to display the contents of one access list.
The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255 access-list 1 permit 128.88.0.0 0.0.255.255 access-list 1 permit 36.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:
access-list 2 permit 36.48.0.3 access-list 2 permit 36.48.0.3 0.0.0.0
| Command | Description |
|---|---|
| access-class | Restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list. |
| access-list (IP extended) | Defines an extended IP access list. |
| distribute-list in (IP) | Filters networks received in updates. |
| distribute-list out (IP) | Suppresses networks from being advertised in updates. |
| ip access-group | Controls access to an interface. |
| show access-lists | Displays the contents of current IP and rate-limit access lists. |
| show ip access-list | Displays the contents of all current IP access lists. |
Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003
All material in this document copyright 2000 Cisco Systems, Inc. All rights reserved. No material may be reproduced or distributed without written permission of Cisco Systems, Inc.