ip access-list extended

Use this command to enter access list configuration mode for extended ACLs.

Syntax

ip access-list extended {access-list-number | name}
no ip access-list {access-list-number | name}

Parameters

access-list-number | name Specifies a standard or extended access list number or name. When entering a number value, standard access list valid values are from 1 to 99. Extended access list valid values are from 100 to 199.

Defaults

None.

Mode

Configuration command, Global configuration.

Usage

The ip access-list extended command enters the rule configuration command mode for the specified extended access-list. Extended access-lists specify both a source and destination address.

There are two ways to identify an ACL: a number or a name. The use of a number is for IPv4 ACLs only. Extended IPv4 ACL numbers range from 100 to 199. Names must start with an alpha character. A name may be quoted, as the quotes are stripped, but spaces are not supported the quoted string. A name cannot be one of the show access-lists keywords brief or applied, or any prefix thereof such as ?br? or ?app?. Names can be up to 64 characters in length.

Restrictions defined by an access list are applied by using the ip access-group command (ip access-group).

Note

Note

An "implicit deny" is hard coded at the end of all ACLs. The implicit deny blocks anything not explicitly permitted within the ACL, including routing protocols and management connections.

The “no” form of this command removes the specified access list.

Example

This example creates extended access list 100, if it does not already exist, and enters access list 100 configuration mode:

System(rw-config)->ip access-list extended 100
System(rw-cfg-ext-acl)->