This tutorial explains how to create, apply, edit, update, manage, and delete a numbered and a named standard and extended access list. Learn the options, arguments, and parameters of the 'ip access-list' command.
You can create an access list in two styles: classic style and modern style. The classic style does not support the editing feature. The modern style supports the editing feature. If you use the classic style to create an ACL, you will be able to append it, but you will not be able to modify it. If you use the modern style to create an access list, you will be able to append, edit, and modify it.
The classic style uses the 'access-list' command. The modern style uses the 'ip access-list' command.
I have already explained the parameters, options, and arguments of the 'access-list' command in the previous part of this article. In this part, I will explain the parameters, options, and arguments of the 'ip access-list' command.
This tutorial is the eighth part of the article 'Cisco Access Lists Explained with Examples.'. Other parts of this article are the following.
Definition, purposes, benefits, and functions of ACL
Basic concepts and fundamentals of ACLs
How Access Lists work on Cisco routers
Types of access control lists explained
Wildcard masks in ACLs Explained
Rules and configuration guidelines for Cisco ACLs
Access Control List Explained with Examples
Standard ACL Configuration Commands Explained
Configure Standard Access Control List Step by Step Guide
How to secure VTY access to the Router
Extended ACL Configuration Commands Explained
Configure Extended Access Control List Step by Step Guide
How to block ICMP Ping on Cisco Routers
The 'ip access-list' command
The 'ip access-list' command is a global configuration mode command. It uses the following syntax.
Router(config)# ip access-list standard|extended ACL_name or number
ip access-list: - This is the main command.
standard|extended: - This option specifies the type of ACL. To create a standard ACL, select the 'standard' option. To create an extended ACL, use the 'extended' option.
ACL_name or number: - This parameter specifies the number or the name of the ACL. The router uses this number or name to group all statements. Instead of using a number, you should use a name here. A clear and descriptive name makes ACL management easier. For example, suppose you find an ACL 126. The number 126 does not tell anything about the ACL. But if you find an ACL with a name like 'BlockSales', you can easily guess the purpose of the ACL.
Let's take some examples of this command.
The following command creates a standard ACL with the number 34.
Router(config)# ip access-list standard 34
The following command creates a standard ACL with the name 'BlockProduction'.
Router(config)# ip access-list standard BlockProduction
The following command creates an extended ACL with the number 136.
Router(config)# ip access-list extended 136
The following command creates an extended ACL with the name 'AllowHttpTraffic'.
Router(config)# ip access-list extended AllowHttpTraffic
When you hit the enter key after specifying the name or the number, the command prompt changes and you enter ACL configuration mode. The command prompt depends on the value of the 'standard|extended' option. If you have selected the standard option, you will get the following command prompt.
Router(config-std-acl)#
If you have selected the extended option, you will get the following command prompt.
Router(config-ext-acl)#
In ACL configuration mode, you create and manage statements. The options available to create statements depend on the type of ACL. If you have selected the standard ACL, the following options will be available.
Router(config)# ip access-list standard ACL_name Router(config-std-acl)# permit|deny source_IP_address [wildcard_mask] [log]
If you have selected the extended ACL, the following options will be available.
Router(config)# ip access-list extended ACL_name Router(config-ext-acl)# permit|deny IP_protocol source_IP_address wildcard_mask [protocol_information] destination_IP_address wildcard_mask [protocol_information] [log]
These options are the same options that we get with the 'access-list' command. I have already explained these options in the previous part of this tutorial. Let create some example ACLs.
The following code block creates a named extended ACL.
Router(config)# ip access-list extended SecureManagement Router(config-ext-acl)# permit ip 172.15.0.0 0.0.255.255 172.16.0.0 0.0.255.255 Router(config-ext-acl)# permit tcp any 172.16.0.0 0.0.255.255 established log Router(config-ext-acl)# permit udp any host 172.16.1.1 eq dns log Router(config-ext-acl)# permit tcp 172.17.0.0 0.0.255.255 host 176.16.1.2 eq telnet log Router(config-ext-acl)# permit icmp any 176.16.0.0 0.0.255.255 echo-reply log Router(config-ext-acl)# deny ip any any log
The following code blocks create a named standard ACL.
Router(config)# ip access-list standard SecureDevelopment Router(config-std-acl)# permit ip 192.168.1.0 0.0.0.255 Router(config-std-acl)# deny ip any any log
Activating ACLs
No matter whether you use the 'access-list' command or the 'ip access-list' command to create an ACL, the process of activating the ACL is the same.
To activate an ACL, use the following commands.
Router(config)# interface type [slot_#]port_# Router(config-if)# ip access-group ACL_# in|out
We use the first command to enter the interface mode. Specify the interface name and number as the argument to this command.
We use the second command to activate the ACL to the interface. Specify the ACL number or name and the direction in which you want to activate the ACL.
The following commands activate the SecureManagement ACL to the FastEthernet 0/0 interface in the inward direction.
Router(config)# interface FastEthernet 0/0 Router(config-if)# ip access-group SecureManagement in
The following commands activate the SecureDevelopment ACL to the FastEthernet 0/1 interface in the outward direction.
Router(config)# interface FastEthernet 0/1 Router(config-if)# ip access-group SecureDevelopment out
Verifying ACLs
Once you have created and activated your ACLs, you can use the following commands to verify their configuration and operation.
The 'show running-config' command
This command displays all running configurations. You can use this command to view ACLs and the interfaces on which they are activated. The following code block shows the sample output of this command.
Router# Router#show running-config Building configuration... [Output omitted] interface GigabitEthernet0/2 ip address 30.0.0.1 255.0.0.0 ip access-group 10 out access-list 10 deny 10.0.0.0 0.255.255.255 access-list 10 permit 20.0.0.0 0.255.255.255 end Router#
The above output shows that the ACL 10 is applied to the GigabitEthernet0/2 interface in the outward direction and it contains two statements.
The 'show access-lists' command
This command displays all access lists and their parameters. It also shows statistics about how many times each statement matched a packet. This command does not show which ACL is applied to which interface.
Following is the example of the 'show access-lists' command.
Router# show access-lists Extended IP access list 100 permit tcp 172.16.0.0 0.0.255.255 any established (189 matches) permit udp host 172.16.1.39 any eq domain (32 matches) permit icmp host 172.16.0.0 any (67 matches) Standard IP access list 10 10 deny 10.0.0.0 0.255.255.255(79 matches) 20 permit 20.0.0.0 0.255.255.255(39 matches) IPX sap access list 1000 deny FFFFFFFF 7 permit FFFFFFFF 0
The 'show access-lists' command displays all ACLs from all protocols. If you want to view only ACLs for the IP protocol, use the 'show ip access-lists' command. Following is the example output of this command.
Router# show ip access-lists Extended IP access list 100 permit tcp 172.16.0.0 0.0.255.255 any established (189 matches) permit udp host 172.16.1.39 any eq domain (32 matches) permit icmp host 172.16.0.0 any (67 matches) Standard IP access list 10 10 deny 10.0.0.0 0.255.255.255(79 matches) 20 permit 20.0.0.0 0.255.255.255(39 matches)
The above command displays all ACLs. To view only a particular ACL, use one command from the following two commands:
Router# show access-lists ACL_number_or_name Or Router# show ip access-lists ACL_number_or_name
The following command shows the entries of the ACL 10.
Router# show ip access-lists 10 Standard IP access list 10 10 deny 10.0.0.0 0.255.255.255(79 matches) 20 permit 20.0.0.0 0.255.255.255(39 matches)
Resetting the counter
To clear and reset the counter for an ACL, use the following command.
Router# clear access-list counters [ACL_#_number_or_name]
The following command clears the counter of the ACL 20.
Router# clear access-list counters 20
Identifying ACL types
You can edit or update an ACL only if you used the 'ip access-list' command to create it. If you use the 'ip access-list' command to create an ACL, the router automatically adds a sequence number to each entry. Sequence numbers allow you to insert, edit, update and delete statements in an existing ACL.
If you don't know which command was used to create an ACL, you can use the 'show access-lists' command. If you see sequence numbers in front of an ACL, the ACL was created by using the 'ip access-list' command.
The following code block shows the sample output of this command.
Router# show access-list Extended IP access list 101 10 permit ip host 192.168.101.69 any 20 permit ip host 192.168.101.89 any Standard IP access list 30 deny 10.0.0.0 0.255.255.255 permit 20.0.0.0 0.255.255.255
As you can see in the above output, the ACL 101 has sequence numbers and the ACL 30 does not have sequence numbers. You can edit ACL 101 but you can't edit ACL 30.
Editing/updating ACL entries
To edit or update an ACL, we have to enter ACL configuration mode. Once we enter ACL configuration mode, we can use the following command to delete an existing entry.
Router(config)# ip access-list {standard|extended} ACL_name_or_number# Router(config-{std|ext}-nacl)# no sequence_#
After deleting the existing entry, we can insert an updated entry at the place of the existing entry. To insert the updated entry, we will use the sequence number of the deleted entry.
To update an entry in the standard access list, use the following command.
Router(config)# ip access-list standard ACL_name Router(config-std-acl)# [sequence no] permit|deny source_IP_address [wildcard_mask]
To update an entry in the extended access list, use the following command.
Router(config)# ip access-list extended ACL_name Router(config-ext-acl)# [sequence no] permit|deny IP_protocol source_IP_address wildcard_mask [protocol_information] destination_IP_address wildcard_mask [protocol_information] [log]
The following code block updates an entry [sequence no 20] and verifies the update.
Router#show access-lists Extended IP access list SecureManagment 10 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 20 permit ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.255 30 permit ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255 Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list extended SecureManagment Router(config-ext-nacl)# no 20 Router(config-ext-nacl)#20 deny ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 Router(config-ext-nacl)#exit Router(config)#exit Router#show access-lists Extended IP access list SecureManagment 10 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 20 deny ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 30 permit ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255 Router#
Inserting new entries
A router assigns sequence numbers in the block of 10. For example, if you have three entries in an ACL, the router will respectively assign the sequence numbers 10, 20, and 30 to them.
To insert a new entry, use a sequence number that is between the entries. For example, if you want to insert a new entry between entries those sequence numbers are 10 and 20, you can use any number between 11 to 19.
The following code block inserts a new statement with the sequence number 12 into the ACL SecureManagment.
Router#show access-lists Extended IP access list SecureManagment 10 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 20 permit ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.255 30 permit ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255 Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list extended SecureManagment Router(config-ext-nacl)#12 deny ip 10.0.0.0 0.255.255.255 30.0.0.1 0.0.0.0 Router(config-ext-nacl)#exit Router(config)#exit Router#show access-lists Extended IP access list SecureManagment 10 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 12 deny ip 10.0.0.0 0.255.255.255 30.0.0.1 0.0.0.0 20 permit ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.255 30 permit ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255 Router#
Deleting an ACL
To delete an ACL, use the following command.
Router(config)# ip access-list {standard|extended} ACL_name_or_number#
The following code deletes the SecureManagement ACL.
Router(config)#no ip access-list extended SecureManagement
That's all for this tutorial. In the next tutorial, we will take some practical examples of access lists.