Creates a standard or extended IPv4 access control list (ACL). In ACLs, you can define rules that permit or deny network traffic based on criteria that you specify.
Global configuration mode
An ACL name can be up to 63 characters long, and must begin with a–z, A–Z or 0–9. You can also use underscore (_) or hyphen (-) in an ACL name, but not as the first character.
After you create an ACL, use the seq command to create filtering rules for that ACL.
To delete an ACL, use the no access-list command. You can delete an ACL only after you first remove it from all interfaces to which it is applied, using the no access-group command.
device# configure device(config)# ip access-list standard stdACL3
device# configure terminal device(config)# ip access-list extended extdACL5
device# configure terminal device(config)# ip access-list standard stdACL3 device(config-ipacl-std)# seq 5 permit host 10.20.33.4 device(config-ipacl-std)# seq 15 deny any
device# configure device(config)# no ip access-list standard stdACL3
The following example creates an IPv4 extended ACL and adds rules to the ACL that filter TCP packets to the management IP on port 22.
device# configure device(config)# ip access-list extended management device(config-ipacl-ext)# permit tcp x.x.x.x/24 mgt-ip eq 22 device(config-ipacl-ext)# permit tcp x.x.x.x/24 mgt-ip eq 22 device(config-ipacl-ext)# permit tcp host x.x.x.x mgt-ip eq 22 device(config-ipacl-ext)# permit tcp host x.x.x.x mgt-ip eq 22 device(config-ipacl-ext)# permit tcp host x.x.x.x mgt-ip eq 22 deny tcp any mgt-ip eq 22The following example displays an ACL definition that supports flow based ingress miroring.
device# show access-list int eth 0/2 in ip access-list ipl on Ethernet 0/2 at Ingress (From User) seq 10 permit ip host 10.10.10.1 any count mirror (Active) seq 20 permit tcp any host 15.15.15.1 count (Active)The following example displays an ACL definition that supports flow based ingress miroring.
device# show access-list int eth 0/2 in ip access-list ipl on Ethernet 0/2 at Ingress (From User) seq 10 permit ip host 10.10.10.1 any count mirror (150 frames) seq 20 permit tcp any host 15.15.15.1 count (0 frames)