To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command.
access-list access-list-number {deny | permit} source [source-wildcard]
no access-list access-list-number
Caution: Enhancements to this command are backward compatible; migrating from releases prior to Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.
Syntax Description
access-list-number Number of an access list. This is a decimal number from 1 to 99. deny Denies access if the conditions are matched. permit Permits access if the conditions are matched. source Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:
- Use a 32-bit quantity in four-part, dotted-decimal format.
- Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
source-wildcard
(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:
- Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.
- Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
Default
The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.
You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates.
Use the show access-lists EXEC command to display the contents of all access lists.
Use the show ip access-list EXEC command to display the contents of one access list.
Examples
The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255 access-list 1 permit 128.88.0.0 0.0.255.255 access-list 1 permit 36.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied)To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:
access-list 2 permit 36.48.0.3 access-list 2 permit 36.48.0.3 0.0.0.0