Use the permit command to create a rule that forwards L3 packets or allows the packet at L2 based upon the defined rule.
Use the deny command to create a rule that prevents the forwarding of L3 packets or drops the packet at L2 based upon the defined rule.
The following example creates a standard ACL 1, and specifies an entry 1 permit rule with a source IP address of 10.0.0.1 and a wild card of 0.0.255.255. The explicit deny all rule denies all other traffic for this ACL:
System(rw-config)->ip access-list standard 1 System(rw-cfg-std-acl)->permit 10.0.0.1 0.0.255.255 System(rw-cfg-std-acl)->show access-lists 1 Standard IP access list 1 (2 entries) 1 permit 10.0.0.1 0.0.255.255 -- implicit deny all --
The following example creates an extended access-list 120 and configures a deny entry for the IP protocol with a source address 20.0.0.1 and source wildcard of 0.0.255.255 and a destination address of any. Syslog messaging is enabled to log any hit for this rule. This rule is followed by a permit rule for any other source or destination IP protocol traffic:
System(rw-config)->ip access-list extended 120 System(rw-cfg-ext-acl)->deny ip 20.0.0.1 0.0.255.255 any log System(rw-cfg-ext-acl)->permit ip any any System(rw-cfg-ext-acl)->show access-lists 120 Extended IP access list 120 (3 entries) 1 deny ip 20.0.0.1 0.0.255.255 any 2 permit ip any any -- implicit deny all -- System(rw-cfg-ext-acl)->
This example enters configuration mode for standard IPv6 access list acl2 and configures a permit entry for source address 2001:1234:50:0:21f:45ff:fe3d:21be/64:
System(rw-config)->ipv6 access-list standard acl2 System(rw-cfg-ipv6-ext-acl)->permit 2001:1234:50:0:21f:45ff:fe3d:21be/64 System(rw-cfg-ipv6-ext-acl)->
This example enters configuration mode for extended IPv6 access list acl120 and configures a permit entry for the IP protocol with a source address 2001:1234:50:0:21f:45ff:fe3d:21aa/64 and a destination address of any:
System(rw-config)->ipv6 access-list extended acl120 System(rw-cfg-ipv6-ext-acl)->permit ipv6 2001:1234:50:0:21f:45ff:fe3d:21aa/64 any System(rw-cfg-ipv6-ext-acl)->
This example enters configuration mode for the list1 L2 ACL and configures a permit entry for packets containing (verbose logging is enabled for this entry):
System(rw-config)->l2 access-list list1 System(rw-cfg-l2-acl)->permit any host 00:11:88:fd:8e:f0 vlan 11 13 ethertype 800 log-verbose System(rw-cfg-l2-acl)->