ip access-list

Creates a standard or extended IPv4 access control list (ACL). In ACLs, you can define rules that permit or deny network traffic based on criteria that you specify.

Syntax

ip access-list { standard | extended } ACLname
no ip access-list { standard | extended } ACLname

Parameters

standard | extended
Specifies one of the following types of access lists:
standard
Contains rules that permit or deny traffic based on source addresses that you specify. The rules are applicable to all ports of the specified addresses.
extended
Contains rules that permit or deny traffic according to source and destination addresses, as well as other parameters. For example, you can also filter by port, protocol (TCP or UDP), and TCP flags.
ACLname
Specifies an ACL name unique among all ACLs (Layer 2 and Layer 3). The name can be up to 63 characters in length, and must begin with an alphanumeric character. No special characters are allowed, except for the underscore and hyphen.

Modes

Global configuration mode

Usage Guidelines

An ACL name can be up to 63 characters long, and must begin with a–z, A–Z or 0–9. You can also use underscore (_) or hyphen (-) in an ACL name, but not as the first character.

After you create an ACL, use the seq command to create filtering rules for that ACL.

An ACL starts functioning only after:
  • Applied to an interface, using the { ip | ipv6 | mac } access-group command.
  • Applied at device-level, using the { ip | ipv6 } receive access-group command.

To delete an ACL, use the no access-list command. You can delete an ACL only after you first remove it from all interfaces to which it is applied, using the no access-group command.

Examples

The following example creates an IPv4 standard ACL.
device# configure
device(config)# ip access-list standard stdACL3
The following example creates an IPv4 extended ACL.
device# configure terminal
device(config)# ip access-list extended extdACL5
The following example creates rules on an IPv4 standard ACL.
device# configure terminal
device(config)# ip access-list standard stdACL3
device(config-ipacl-std)# seq 5 permit host 10.20.33.4
device(config-ipacl-std)# seq 15 deny any
The following example deletes an IPv4 ACL.
device# configure
device(config)# no ip access-list standard stdACL3

The following example creates an IPv4 extended ACL and adds rules to the ACL that filter TCP packets to the management IP on port 22.

device# configure
device(config)# ip access-list extended management
device(config-ipacl-ext)# permit tcp x.x.x.x/24 mgt-ip eq 22
device(config-ipacl-ext)# permit tcp x.x.x.x/24 mgt-ip eq 22
device(config-ipacl-ext)# permit tcp host x.x.x.x mgt-ip eq 22
device(config-ipacl-ext)# permit tcp host x.x.x.x mgt-ip eq 22
device(config-ipacl-ext)# permit tcp host x.x.x.x mgt-ip eq 22
deny tcp any mgt-ip eq 22
The following example displays an ACL definition that supports flow based ingress miroring.
device# show access-list int eth 0/2 in
ip access-list ipl on Ethernet 0/2 at Ingress (From User)
    seq 10 permit ip host 10.10.10.1 any count mirror (Active)
    seq 20 permit tcp any host 15.15.15.1 count (Active)
The following example displays an ACL definition that supports flow based ingress miroring.
device# show access-list int eth 0/2 in
ip access-list ipl on Ethernet 0/2 at Ingress (From User)
    seq 10 permit ip host 10.10.10.1 any count mirror (150 frames)
    seq 20 permit tcp any host 15.15.15.1 count (0 frames)