Reference Guide
Access Control Lists (ACLs) | 125
Configuring an Extended IP ACL
Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP
host addresses, UDP addresses, and UDP host addresses.
Because traffic passes through the filter in the order of the filter’s sequence, you can configure the
extended IP ACL by first entering the IP ACCESS LIST mode and then assigning a sequence number to
the filter.
Configuring filters with a Sequence Number
To create a filter for packets with a specified sequence number, follow these steps, starting in the
CONFIGURATION mode:
When you use the
log keyword, CP processor logs details about the packets that match. Depending on how
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’
details.
When you create the filters with a specific sequence number, you can create the filters in any order and the
filters are placed in the correct order.
Figure 7-12 shows how the
seq command orders the filters according to the sequence number assigned. In
the example, filter 15 was configured before filter 5, but the
show config command displays the filters in
the correct order.
Step Command Syntax Command Mode Purpose
1
ip access-list extended
access-list-name
CONFIGURATION Enter the IP ACCESS LIST mode by creating
an extended IP ACL.
2 seq sequence-number
{
deny | permit}
{ip-protocol-number |
icmp | ip | tcp | udp
}
{
source mask | any | host
ip-address} {destination
mask | any | host
ip-address} [operator
port [port]] [count [byte]
|
log ] [order] [monitor]
[
fragments]
CONFIG-EXT-NACL Configure a drop or forward filter.
Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a
new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or
another number.