website pop up marketing access-list (extended)
Cisco CCNA | CCNP Certification Training Site. Cisco tips and tools for exam success. logo video

access-list (extended)

Printer-Friendly Format

Command

Access-list (Extended)

Use

This command is used to create a list that matches packets on a given criteria. While access-lists are most commonly associated with security, there are numerous uses.
Extended lists match on source addresses and destination addresses as well as protocol information.

Syntax

Router(config)#access-list <100-199 or 2000-2699> <permit or deny> <tcp or udp or ip> <source host address or network or any> <operator> <port> <destination host address or network or any> <operator><port>

Options
<100-199> or <2000-2699> Defines a standard access-list
<permit> Permits all matches specified in the list.
<deny> Denies all matches specified in the list.

Network Options
<host source ip> Host ip address that sources packets matched by the list.
<source network> IP network that sourced packets matched by the list. Uses Wildcard masks for matching.
<host destination ip> Host ip address that sources packets matched by the list.
<destination network> IP network that packets are destined for are matched by the list. Uses Wildcard masks for matching.
<any> Match anything.
Protocol Options
<tcp> Access-list will match TCP traffic.
<udp> Access-list will match UDP traffic.
<ip> Access-list will match all IP traffic.
Operator Options
<eq> Equals a given port.
<gt> Greater than a given port.
<lt> Less than a given port.
<range> A range between two ports.

Wildcard Masks

Wildcard masks are how access-lists know what networks apply to the list. They are the inverse of the subnet mask.

For example, network 123.123.123.0 0.0.0.255 would match any ip address in the 123.123.123.0/24 network.
Because a /24 mask is 255.255.255.0, the inverse would be 0.0.0.255. For the network 34.77.108.0/28, the subnet mask would be 255.255.255.248 and the inverse would be 0.0.0.7
Notice how the subnet mask and the inverse add to 255.

Example


In this example, we will make an access-list that denies packets sourced by the host 1.1.1.1 and apply the list to R2's Fa0/0.

R1(config)#access-list 101 deny tcp host 10.1.1.254 host 10.2.2.254 eq www
R1(config)#access-list 101 permit ip any any
R1(config)#int f0/0
R1(config-if)#ip access-group 101 in


In this example, we deny any tcp packet that has a port number 1024 or higher.

R1(config)#access-list 102 deny tcp any any gt 1024
R1(config)#access-list 102 permit ip any any
R1(config)#int fa0/0
R1(config-if)#ip access-group 102 in




Back to commands department

 




Printer-Friendly Format

This site and/or material is not sponsored by, endorsed by, or affiliated with Cisco Systems, Inc. and/or its affiliates. Cisco®, Cisco Systems®, CCDA™, CCNA™, CCDP™, CCNP™, CCIE™, or CCSI™ are trademarks or registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

Home | Search | Contact Us | Tell a Friend | Text Size

2006-2013 HowtoNetwork.net All Rights Reserved. Reproduction without permission prohibited.
Reality Press, Midsummer Court, 314 Midsummer Blvd.,Milton Keynes, MK92UB, UK

This site is powered by MemberGate Membership Site Software