Creating or adding to a standard, numbered ACL
Use the following steps when creating or adding to a numbered, standard ACL:
- Create a numbered, standard ACL by entering the first ACE in the list.
- Append a new ACE to the end of an existing, standard ACL.
The following describes the commands for performing these steps.
This command is an alternative to using ip
access-list standard <name-str>
and does not use the
"Named ACL"(nacl
) context.
Syntax
access-list <1–99> {<deny | permit>}
{<any | host <SA> | SA <mask | SA/ mask-length>>} [log]
Appends an ACE to the end of the list of ACEs
in the current IPv4 standard, numbered ACL. If the ACL does not already
exist, creates both the ACL and its first ACE. In the default configuration,
ACEs are automatically assigned consecutive sequence numbers in increments
of 10 and can be renumbered using resequence
, see Resequencing the ACEs in an ACL.
To insert a new ACE between two existing ACEs in a standard, numbered ACL:
Use
ip access list extended <1 - 99>
to open the ACL as a named ACL.Enter the desired sequence number along with the ACE keywords and variables you want.
(After a numbered ACL has been created, it can be managed as either a named or numbered ACL.)
<1–99>
Specifies the ACL identifier as a number. The
switch interprets an ACL with a value in this range as a standard
ACL (which filters all IPv4 traffic on the basis of SA). To create
a standard access list with an alphanumeric name ( name-str
)
instead of a number, see Configuring named, standard ACLs.
{<deny | permit>}
Specifies whether the ACE denies or permits a packet matching the criteria in the ACE, as described next.
{<any | host <SA> | SA <mask | SA/ mask-length>>}
Defines the source IPv4 address (SA) a packet must carry for a match with the ACE.
any
- Allows IPv4 packets from any SA.
host <SA>
- Specifies only packets having <SA> as the source. Use this criterion when you want to match only the IPv4 packets from a single SA.
SA <mask> or SA /mask–length
-
Specifies packets received from an SA, where the SA is either a subnet
or a group of IPv4 addresses. The mask format can be in either dotted-decimal
format or CIDR format (number of significant bits). See How an ACE uses a mask to screen packets for matches.
SA Mask
application: The mask
is applied to the SA in the ACE to define which bits in a packet's
SA must exactly match the SA configured in the ACL and which bits
need not match.
Example
10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any address in the range of 10.10.10.(1 - 255).
Specifying a group of contiguous addresses may require more than one ACE. For more on how masks operate in ACLs, see How an ACE uses a mask to screen packets for matches
.
[log]
The action is deny or permit.
There is a match.
ACL logging is enabled.