This document summarizes IP access control lists (ACLs), including the syntax for standard and extended ACLs, supported source/destination definitions, TCP/UDP port definitions, options for applying and troubleshooting ACLs. Standard ACLs filter based on source IP address while extended ACLs can also filter based on protocol, source/destination ports, flags, and other options. Numbers, names, sequences and actions (permit, deny) are used to configure individual ACL rules.
Unblocking The Main Thread Solving ANRs and Frozen Frames
Ip Access Lists
1. IP ACCESS LISTS CCNA4.com
Standard IP ACL Syntax Actions
! Legacy syntax permit Allow matched packets
access-list <number> {permit | deny} <source> [log]
deny Deny matched packets
! Modern syntax remark Record a config comment
ip access-list standard {<number> | <name>}
[<sequence>] {permit | deny} <source> [log] evaluate Evaluate a reflexive ACL
Extended IP ACL Syntax
! Legacy syntax
access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
! Modern syntax
ip access-list extended {<number> | <name>}
[<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
ACL Numbers Source/Destination Definitions
1-99 any Any address
IP standard
1300-1999
host <address> A single address
100-199
IP extended <network> <mask> Any address matched by the wildcard mask
2000-2699
200-299 Protocol IP Options
300-399 DECnet dscp <DSCP> Match packets with the given DSCP value
400-499 XNS fragments Check non-initial fragments
500-599 Extended XNS option <option> Match packets with the specified IP option
600-699 Appletalk precedence <0-7> Match packets with the given precedence value
700-799 Ethernet MAC ttl <count> Match packets with the given Time To Live
800-899 IPX standard TCP/UDP Port Definitions
900-999 IPX extended eq <port> Equal to neq <port> Not equal to
1000-1099 IPX SAP lt <port> Less than gt <port> Greater than
1100-1199 MAC extended range <port> <port> Matches a range of port numbers
1200-1299 IPX summary
Miscellaneous Options
TCP Options reflect <name> Create a reflexive ACL
ack Match ACK flag time-range <name> Enable rule only during the specified time range
fin Match FIN flag
Applying ACLs to Restrict Traffic
psh Match PSH flag
interface FastEthernet0/0
rst Match RST flag ip access-group {<number> | <name>} {in | out}
syn Match SYN flag
Troubleshooting
urg Match URG flag
show access-lists {<number> | <name>}
established Match packets in a pre-
established session show ip access-lists {<number> | <name>}
show ip access-lists interface <interface>
Logging Options
show ip access-lists dynamic
log Log ACL entry matches
show ip interface [<interface>]
log-input Log matches with ingress
interface and source MAC show time-range [<name>]
by Jeremy Stretch v1.1