Option Meaning
list. Also allows the creation and separation of multiple access
lists.
permit or deny Specifies the effect of the access-list statement as allowing or
blocking the traffic specified.
protocol Specifies the protocol to be filtered in the access-list statement.
hostname or IP address Specifies the hostname or device’s IP address that will be acted
upon in the access-list statement. In an extended access list, this
field will be entered for both the source and destination host or
device.
host Specifies a single specific host for the statement.
any Specifies that regardless of the host or device IP, it will match
the statement.
eq Means equal to, and specifies the application protocol to be
filtered by the statement.
Here’s an example of an extended IP access list:
Corp(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
compiled Enable IP access-list compilation
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
The first command shows the access-list numbers available. You’ll use the extended accesslist
range from 100 to 199. Be sure to notice that the range 2000–2699 is also available for
extended IP access lists.
At this point, you need to decide what type of list entry you are making. For this example,
you’ll choose a deny list entry:
Corp(config)#access-list 110 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
Once you choose the access-list type, you then need to select a protocol field entry:
Corp(config)#access-list 110 deny ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
Here, you’ll choose to filter an Application-layer protocol that uses TCP by selecting TCP
as the protocol. You’ll specify the specific TCP port later. Next, you will be prompted for the
source IP address of the host or network (you can choose the any command to allow any
source address):
Corp(config)#access-list 110 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
After the source address is selected, the destination address is chosen:
Corp(config)#access-list 110 deny tcp any ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
In the following example, any source IP address that has a destination IP address of
172.16.30.2 has been denied:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
You can press Enter here and leave the access list as is. But if you do that, all TCP traffic
to host 172.16.30.2 will be denied, regardless of the destination port. You can be even more
specific: once you have the host addresses in place, just specify the type of service you are denying.
The following help output shows you the available options. You can choose a port number or
use the application or protocol name:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
drip Dynamic Routing Information Protocol (3949)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
At this point, let’s block Telnet (port 23) to host 172.16.30.2 only. If the users want to FTP,
fine—that’s allowed. The log command is used to log messages every time the access list is hit.
This can be an extremely cool way to monitor inappropriate access attempts. Here is how to
do this:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
You need to keep in mind that the next line is an implicit deny any by default. If you apply
this access list to an interface, you might as well just shut the interface down, since by default
there is an implicit deny all at the end of every access list. You have to follow up the access
list with the following command:
Corp(config)#access-list 110 permit ip any any
Remember, 0.0.0.0 255.255.255.255 is the same command as any, so the command
could look like this:
Corp(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255 0.0.0.0
255.255.255.255
Once the access list is created, you need to apply it to an interface (it’s the same command
as the IP standard list), like so:
Corp(config-if)#ip access-group 110 in
or like so:
Corp(config-if)#ip access-group 110 out