General Security Commands
General Security Commands
access-list (extended)
This command defines an extended IP Access List (ACL) by number ranging from 100 to 199. You
can restrict or allow the following traffic:
•
IP (Any Internet Protocol)
•
TCP (Transmission Protocol)
•
UDP (User Datagram Protocol)
•
ICMP (Internet Control Message Protocol)
•
ESP (Encapsulation Security Payload)
•
GRE (Generic Router Encapsulation) protocol
•
AH (Authentication Header) protocol
New and existing ACL entries can be added/replaced in a particular ACL without you having to
rewrite the entire ACL by using the insert/replace number parameters. If neither the insert nor the
replace option is specified, then the new entry is appended to the list. This is noteworthy since ACL
criteria are evaluated in the order displayed by the
Apply restrictions defined by an ACL with
Syntax
access-list list# {insert | replace} entry# {deny | permit}{protocol}|{log}
{srcIpAddr [srcWildCardBits]| [qualifier] | source-port |
host srcIpAddr | any}
{dstIpAddr [dstWildCardBits]| [qualifier]|destn-port |
host dstIpAddr | any}
list#
insert
replace
entry#
deny
permit
protocol
log
srcIPAddr
16-84 Configuring Security
range min-sport | max-sport
range min-dprt | max-dprt
type [code]
Extended ACL number, ranging from
New access entry is inserted before existing entry # in the existing ACL. The
show access-list
command from within Global mode sequentially
numbers entries for this purpose.
New access entry replaces an entry # in the existing ACL (the entry # must
already exist.)
Entry's list number within the ACL. No number is required for first entry.
Access is denied if specified conditions are met.
Access is permitted if conditions met.
Specifies the IP protocol: IP, TCP, UDP, ICMP, ESP, GRE, or AH. IP
represents any protocol.
Enables alarm logging and reporting of source IP addresses for configured
ACL entries.
The source expressed by IP address.
show access-list
ip access-group
command.
100
‐
199
command.
[established]
.