Creating an ACL

There are two types of ACLs: standard and extended. The type of ACL you need depends exclusively upon the packet field(s) that will generate a hit for the rules specified in the ACL. For a standard ACL, only the source IP address is configurable. For an extended ACL, the protocol, source IP address, destination IP address, and in the case of the TCP or UDP protocols, matching source and destination ports are configurable.

There are two ways to identify the new ACL: a number or a name. The use of a number is for IPv4 ACLs only. Standard IPv4 ACL numbers range from 1 to 99. Extended IPv4 ACL numbers range from 100 to 199. Both IPv4 and IPv6 allow alphanumeric names that must start with an alpha character. A name may be quoted, as the quotes are stripped, but spaces are not supported in the quoted string. A name cannot be one of the show access-lists keywords brief or applied, or any prefix thereof such as -br- or -app-. Names can be up to 64 characters in length.

Once you have determined the appropriate ACL type, use the:

  • ip access-list standard command to create an IPv4 standard access-list and ipv6 access-list standard command to create an IPv6 standard access-list
  • ip access-list extended command to create an IPv4 extended access-list and ipv6 access-list extended command to create an IPv6 extended access-list

In each case, specifying the access-list number or name for the ACL.

An existing ACL can be copied to a non-existing ACL of the same IP type (IPv4 or IPv6). An existing ACL can be appended to the end of another existing ACL of the same IP type, but a standard ACL may not be appended to an extended ACL nor vice versa.

Upon creating the ACL, you are placed in the access-list configuration command mode where you can enter rules or comment entries for this ACL.

IPv4 ACL Creation Examples

The following example creates a standard IPv4 ACL with the access-list number 1 as its identifier:

System(rw-config)->ip access-list standard 1
System(rw-cfg-std-acl)->

The following example creates an extended IPv4 ACL with the access-list number 100 as its identifier:

System(rw-config)->ip access-list extended 100
System(rw-cfg-ext-acl)->

The following example creates a standard ACL with the name ipv4acl1 as its identifier:

System(rw-config)->ip access-list standard ipv4acl1
System(rw-cfg-std-acl)->

IPv6 ACL Creation Examples

The following example creates a standard IPv6 ACL with the access-list number acl1 as its identifier:

System(rw-config)->ipv6 access-list standard acl1
System(rw-cfg-ipv6-std-acl)->

The following example creates an extended IPv6 ACL with the access-list number acl100 as its identifier:

System(rw-config)->ipv6 access-list extended 100
System(rw-cfg-ipv6-ext-acl)->

The following example creates a standard IPv6 ACL with the name ipv6acl1 as its identifier:

System(rw-config)->ipv6 access-list standard ipv6acl1
System(rw-cfg-ipv6-std-acl)->