Creating an extended IPv4 ACL

An extended ACL permits or denies traffic according to one or more parameters, including source address, destination address, port, protocol (TCP or UDP), and TCP flags.

  1. Enter configure terminal to access global configuration mode. 
    device# configure terminal
  2. Enter the ip access-list extended command to create the access list. 
    device(config)# ip access-list extended extdACL5
  3. Enter rules, specifying the needed parameters. 
    device(conf-ipacl-ext)# seq 5 deny tcp host 10.24.26.145 any eq 23
device(conf-ipacl-ext)# seq 7 deny tcp any any eq 80 
device(conf-ipacl-ext)# seq 10 deny udp any any range 10 25
device(conf-ipacl-ext)# seq 15 permit tcp any any
  4. Apply the ACL to the appropriate interface.

Example

The following example creates an IPv4 extended ACL, defines rules in the ACL, and applies it as a receive-path ACL. 

device(config)# ip access-list extended ipv4-receive-acl-example
device(conf-ipacl-ext)# deny tcp host 10.0.0.1 any count 
device(conf-ipacl-ext)# deny udp any host 20.0.0.1 count 
device(conf-ipacl-ext)# permit tcp host 10.0.0.2 any eq telnet count 
device(conf-ipacl-ext)# permit tcp host 10.0.0.2 any eq bgp count 
device(conf-ipacl-ext)# deny tcp host 10.0.0.3 host 224.0.0.1 count

device(conf-ipacl-ext)# exit
device(config)# ip receive access-group ipv4-receive-acl-example
9036684-01 Rev AA