The ip access-list command options and arguments

This tutorial explains how to create, apply, edit, update, manage, and delete a numbered and a named standard and extended access list. Learn the options, arguments, and parameters of the 'ip access-list' command.

You can create an access list in two styles: classic style and modern style. The classic style does not support the editing feature. The modern style supports the editing feature. If you use the classic style to create an ACL, you will be able to append it, but you will not be able to modify it. If you use the modern style to create an access list, you will be able to append, edit, and modify it.

difference between classic and modern acls

The classic style uses the 'access-list' command. The modern style uses the 'ip access-list' command.

I have already explained the parameters, options, and arguments of the 'access-list' command in the previous part of this article. In this part, I will explain the parameters, options, and arguments of the 'ip access-list' command.

The 'ip access-list' command

The 'ip access-list' command is a global configuration mode command. It uses the following syntax.

Router(config)# ip access-list standard|extended ACL_name or number

ip access-list: - This is the main command.

standard|extended: - This option specifies the type of ACL. To create a standard ACL, select the 'standard' option. To create an extended ACL, use the 'extended' option.

ACL_name or number: - This parameter specifies the number or the name of the ACL. The router uses this number or name to group all statements. Instead of using a number, you should use a name here. A clear and descriptive name makes ACL management easier. For example, suppose you find an ACL 126. The number 126 does not tell anything about the ACL. But if you find an ACL with a name like 'BlockSales', you can easily guess the purpose of the ACL.

Let's take some examples of this command.

The following command creates a standard ACL with the number 34.

Router(config)# ip access-list standard 34

The following command creates a standard ACL with the name 'BlockProduction'.

Router(config)# ip access-list standard BlockProduction

The following command creates an extended ACL with the number 136.

Router(config)# ip access-list extended 136

The following command creates an extended ACL with the name 'AllowHttpTraffic'.

Router(config)# ip access-list extended AllowHttpTraffic

When you hit the enter key after specifying the name or the number, the command prompt changes and you enter ACL configuration mode. The command prompt depends on the value of the 'standard|extended' option. If you have selected the standard option, you will get the following command prompt.

Router(config-std-acl)#

If you have selected the extended option, you will get the following command prompt.

Router(config-ext-acl)#

In ACL configuration mode, you create and manage statements. The options available to create statements depend on the type of ACL. If you have selected the standard ACL, the following options will be available.

Router(config)# ip access-list standard ACL_name
Router(config-std-acl)# permit|deny source_IP_address
[wildcard_mask] [log]

If you have selected the extended ACL, the following options will be available.

Router(config)# ip access-list extended ACL_name
Router(config-ext-acl)# permit|deny IP_protocol
source_IP_address wildcard_mask
[protocol_information]
destination_IP_address wildcard_mask
[protocol_information] [log]

These options are the same options that we get with the 'access-list' command. I have already explained these options in the previous part of this tutorial. Let create some example ACLs.

The following code block creates a named extended ACL.

Router(config)# ip access-list extended SecureManagement
Router(config-ext-acl)# permit ip 172.15.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config-ext-acl)# permit tcp any 172.16.0.0 0.0.255.255 established log
Router(config-ext-acl)# permit udp any host 172.16.1.1 eq dns log
Router(config-ext-acl)# permit tcp 172.17.0.0 0.0.255.255 host 176.16.1.2 eq telnet log
Router(config-ext-acl)# permit icmp any 176.16.0.0 0.0.255.255 echo-reply log
Router(config-ext-acl)# deny ip any any log

The following code blocks create a named standard ACL.

Router(config)# ip access-list standard SecureDevelopment
Router(config-std-acl)# permit ip 192.168.1.0 0.0.0.255
Router(config-std-acl)# deny ip any any log

Activating ACLs

No matter whether you use the 'access-list' command or the 'ip access-list' command to create an ACL, the process of activating the ACL is the same.

To activate an ACL, use the following commands.

Router(config)# interface type [slot_#]port_#
Router(config-if)# ip access-group ACL_# in|out

We use the first command to enter the interface mode. Specify the interface name and number as the argument to this command.

We use the second command to activate the ACL to the interface. Specify the ACL number or name and the direction in which you want to activate the ACL.

The following commands activate the SecureManagement ACL to the FastEthernet 0/0 interface in the inward direction.

Router(config)# interface FastEthernet 0/0
Router(config-if)# ip access-group SecureManagement in

acl implementation inward direction

The following commands activate the SecureDevelopment ACL to the FastEthernet 0/1 interface in the outward direction.

Router(config)# interface FastEthernet 0/1
Router(config-if)# ip access-group SecureDevelopment out

acl implementation outward direction

Verifying ACLs

Once you have created and activated your ACLs, you can use the following commands to verify their configuration and operation.

The 'show running-config' command

This command displays all running configurations. You can use this command to view ACLs and the interfaces on which they are activated. The following code block shows the sample output of this command.

Router#
Router#show running-config
Building configuration...
[Output omitted]
interface GigabitEthernet0/2
ip address 30.0.0.1 255.0.0.0
ip access-group 10 out
access-list 10 deny 10.0.0.0 0.255.255.255
access-list 10 permit 20.0.0.0 0.255.255.255
end
Router#

The above output shows that the ACL 10 is applied to the GigabitEthernet0/2 interface in the outward direction and it contains two statements.

The 'show access-lists' command

This command displays all access lists and their parameters. It also shows statistics about how many times each statement matched a packet. This command does not show which ACL is applied to which interface.

Following is the example of the 'show access-lists' command.

Router# show access-lists
Extended IP access list 100
permit tcp 172.16.0.0 0.0.255.255 any established (189 matches)
permit udp host 172.16.1.39 any eq domain (32 matches)
permit icmp host 172.16.0.0 any (67 matches)
Standard IP access list 10
10 deny 10.0.0.0 0.255.255.255(79 matches)
20 permit 20.0.0.0 0.255.255.255(39 matches)
IPX sap access list 1000
deny FFFFFFFF 7
permit FFFFFFFF 0

The 'show access-lists' command displays all ACLs from all protocols. If you want to view only ACLs for the IP protocol, use the 'show ip access-lists' command. Following is the example output of this command.

Router# show ip access-lists
Extended IP access list 100
permit tcp 172.16.0.0 0.0.255.255 any established (189 matches)
permit udp host 172.16.1.39 any eq domain (32 matches)
permit icmp host 172.16.0.0 any (67 matches)
Standard IP access list 10
10 deny 10.0.0.0 0.255.255.255(79 matches)
20 permit 20.0.0.0 0.255.255.255(39 matches)

The above command displays all ACLs. To view only a particular ACL, use one command from the following two commands:

Router# show access-lists ACL_number_or_name
Or
Router# show ip access-lists ACL_number_or_name

The following command shows the entries of the ACL 10.

Router# show ip access-lists 10
Standard IP access list 10
10 deny 10.0.0.0 0.255.255.255(79 matches)
20 permit 20.0.0.0 0.255.255.255(39 matches)

Resetting the counter

To clear and reset the counter for an ACL, use the following command.

Router# clear access-list counters [ACL_#_number_or_name]

The following command clears the counter of the ACL 20.

Router# clear access-list counters 20

Identifying ACL types

You can edit or update an ACL only if you used the 'ip access-list' command to create it. If you use the 'ip access-list' command to create an ACL, the router automatically adds a sequence number to each entry. Sequence numbers allow you to insert, edit, update and delete statements in an existing ACL.

If you don't know which command was used to create an ACL, you can use the 'show access-lists' command. If you see sequence numbers in front of an ACL, the ACL was created by using the 'ip access-list' command.

The following code block shows the sample output of this command.

Router# show access-list
Extended IP access list 101
10 permit ip host 192.168.101.69 any
20 permit ip host 192.168.101.89 any
Standard IP access list 30
deny 10.0.0.0 0.255.255.255
permit 20.0.0.0 0.255.255.255

As you can see in the above output, the ACL 101 has sequence numbers and the ACL 30 does not have sequence numbers. You can edit ACL 101 but you can't edit ACL 30.

Editing/updating ACL entries

To edit or update an ACL, we have to enter ACL configuration mode. Once we enter ACL configuration mode, we can use the following command to delete an existing entry.

Router(config)# ip access-list {standard|extended} ACL_name_or_number#
Router(config-{std|ext}-nacl)# no sequence_#

After deleting the existing entry, we can insert an updated entry at the place of the existing entry. To insert the updated entry, we will use the sequence number of the deleted entry.

To update an entry in the standard access list, use the following command.

Router(config)# ip access-list standard ACL_name
Router(config-std-acl)# [sequence no] permit|deny source_IP_address
[wildcard_mask]

To update an entry in the extended access list, use the following command.

Router(config)# ip access-list extended ACL_name
Router(config-ext-acl)# [sequence no] permit|deny IP_protocol
source_IP_address wildcard_mask
[protocol_information]
destination_IP_address wildcard_mask
[protocol_information] [log]

The following code block updates an entry [sequence no 20] and verifies the update.

Router#show access-lists
Extended IP access list SecureManagment
10 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
20 permit ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.255
30 permit ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended SecureManagment
Router(config-ext-nacl)# no 20
Router(config-ext-nacl)#20 deny ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
Router(config-ext-nacl)#exit
Router(config)#exit
Router#show access-lists
Extended IP access list SecureManagment
10 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
20 deny ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
30 permit ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
Router#

Inserting new entries

A router assigns sequence numbers in the block of 10. For example, if you have three entries in an ACL, the router will respectively assign the sequence numbers 10, 20, and 30 to them.

To insert a new entry, use a sequence number that is between the entries. For example, if you want to insert a new entry between entries those sequence numbers are 10 and 20, you can use any number between 11 to 19.

The following code block inserts a new statement with the sequence number 12 into the ACL SecureManagment.

Router#show access-lists
Extended IP access list SecureManagment
10 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
20 permit ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.255
30 permit ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended SecureManagment
Router(config-ext-nacl)#12 deny ip 10.0.0.0 0.255.255.255 30.0.0.1 0.0.0.0
Router(config-ext-nacl)#exit
Router(config)#exit
Router#show access-lists
Extended IP access list SecureManagment
10 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
12 deny ip 10.0.0.0 0.255.255.255 30.0.0.1 0.0.0.0
20 permit ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.255
30 permit ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
Router#
 

Deleting an ACL

To delete an ACL, use the following command.

Router(config)# ip access-list {standard|extended} ACL_name_or_number#

The following code deletes the SecureManagement ACL.

Router(config)#no ip access-list extended SecureManagement

That's all for this tutorial. In the next tutorial, we will take some practical examples of access lists.

ComputerNetworkingNotes CCNA Study Guide The ip access-list command options and arguments