ACL Rule Creation

Use the permit command to create a rule that forwards L3 packets or allows the packet at L2 based upon the defined rule.

Use the deny command to create a rule that prevents the forwarding of L3 packets or drops the packet at L2 based upon the defined rule.

IPv4 ACL examples

The following example creates a standard ACL 1, and specifies an entry 1 permit rule with a source IP address of 10.0.0.1 and a wild card of 0.0.255.255. The explicit deny all rule denies all other traffic for this ACL:

System(rw-config)->ip access-list standard 1
System(rw-cfg-std-acl)->permit 10.0.0.1 0.0.255.255
System(rw-cfg-std-acl)->show access-lists 1
Standard IP access list 1  (2 entries)
  1 permit 10.0.0.1  0.0.255.255
  -- implicit deny all --

The following example creates an extended access-list 120 and configures a deny entry for the IP protocol with a source address 20.0.0.1 and source wildcard of 0.0.255.255 and a destination address of any. Syslog messaging is enabled to log any hit for this rule. This rule is followed by a permit rule for any other source or destination IP protocol traffic:

System(rw-config)->ip access-list extended 120
System(rw-cfg-ext-acl)->deny ip 20.0.0.1 0.0.255.255 any log
System(rw-cfg-ext-acl)->permit ip any any
System(rw-cfg-ext-acl)->show access-lists 120
Extended IP access list 120  (3 entries)
  1 deny   ip  20.0.0.1  0.0.255.255  any
  2 permit ip  any  any
  -- implicit deny all --
System(rw-cfg-ext-acl)->

IPv6 ACL Examples

This example enters configuration mode for standard IPv6 access list acl2 and configures a permit entry for source address 2001:1234:50:0:21f:45ff:fe3d:21be/64:

System(rw-config)->ipv6 access-list standard acl2
System(rw-cfg-ipv6-ext-acl)->permit 2001:1234:50:0:21f:45ff:fe3d:21be/64
System(rw-cfg-ipv6-ext-acl)->

This example enters configuration mode for extended IPv6 access list acl120 and configures a permit entry for the IP protocol with a source address 2001:1234:50:0:21f:45ff:fe3d:21aa/64 and a destination address of any:

System(rw-config)->ipv6 access-list extended acl120
System(rw-cfg-ipv6-ext-acl)->permit ipv6 2001:1234:50:0:21f:45ff:fe3d:21aa/64 any
System(rw-cfg-ipv6-ext-acl)->

L2 ACL Examples

This example enters configuration mode for the list1 L2 ACL and configures a permit entry for packets containing (verbose logging is enabled for this entry):

  • Any source address
  • A destination host with a MAC address of 00:11:88:fd:8e:f0
  • VLANs 11 through 13
  • An Ethernet II type 800
    System(rw-config)->l2 access-list list1
    System(rw-cfg-l2-acl)->permit any host 00:11:88:fd:8e:f0 vlan 11 13 ethertype 800 log-verbose
    System(rw-cfg-l2-acl)->