User's Manual
400
Use the access list by following steps:
(7) Create the access list by designating the access list name and conditions.
(8) Apply the access list to the interface.
53.2.2 Creating Standard and Extensible IP Access List
Use a character string to create an IP access list.
Note:
The standard access list and the extensible access list cannot have the same name.
Run the following command in global configuration mode to create a standard access list:
Command Purpose
ip access-list standard name
Use a name to define a standard access list.
deny [reverse-mask] {source [source-mask] |
any}[log][location] or permit [reverse-mask]
{source [source-mask] | any}[log][location]
Designate one or multiple permit/deny conditions
in standard access list configuration mode. The
previous setting decides whether the packet is
approved or disapproved.
Exit Log out from the access list configuration mode.
Run the following command in global configuration mode to create an extensible access list.
Command Purpose
ip access-list extended name
Use a name to define an extensible IP access
list.
{deny|permit} [reverse-mask] protocol source
source-mask destination destination-mask
[precedence precedence] [tos tos] [log]
[offset-zero] [offset-not-zero] [time-range
rangename] [totallen {eq | gt | lt} totallen] [ttl
{eq | gt | lt} ttl] [donotfragment-set]
[donotfragment-notset] [is-fragment] [not-
fragment] [location][dest-
portrange][established]
Designate one or multiple permit/deny conditions
in extensible access list configuration mode. The
previous setting decides whether the packet is
approved or disapproved. precedence means
the priority of the IP packet; TOS means Type of
Service; offset-zero / offset-not-zero means
whether IP packet Fragment offset is 0; is-
fragment / not-fragment means whether IP
packet is fragmented; donotfragement-notset /
donotfragement-set means whether IP packet