Creating or adding to a standard, numbered ACL

Use the following steps when creating or adding to a numbered, standard ACL:

Procedure
  1. Create a numbered, standard ACL by entering the first ACE in the list.
  2. Append a new ACE to the end of an existing, standard ACL.

The following describes the commands for performing these steps.

This command is an alternative to using ip access-list standard <name-str> and does not use the "Named ACL"(nacl) context.

Syntax


access-list <1–99> {<deny | permit>}

{<any | host <SA> | SA <mask | SA/ mask-length>>} [log]

Appends an ACE to the end of the list of ACEs in the current IPv4 standard, numbered ACL. If the ACL does not already exist, creates both the ACL and its first ACE. In the default configuration, ACEs are automatically assigned consecutive sequence numbers in increments of 10 and can be renumbered using resequence, see Resequencing the ACEs in an ACL.

NOTE:

To insert a new ACE between two existing ACEs in a standard, numbered ACL:

  • Use ip access list extended <1 - 99> to open the ACL as a named ACL.

  • Enter the desired sequence number along with the ACE keywords and variables you want.

(After a numbered ACL has been created, it can be managed as either a named or numbered ACL.)


<1–99>

Specifies the ACL identifier as a number. The switch interprets an ACL with a value in this range as a standard ACL (which filters all IPv4 traffic on the basis of SA). To create a standard access list with an alphanumeric name ( name-str) instead of a number, see Configuring named, standard ACLs.


{<deny | permit>}

Specifies whether the ACE denies or permits a packet matching the criteria in the ACE, as described next.


{<any | host <SA> | SA <mask | SA/ mask-length>>}

Defines the source IPv4 address (SA) a packet must carry for a match with the ACE.

  • any

    - Allows IPv4 packets from any SA.

  • host <SA>

    - Specifies only packets having <SA> as the source. Use this criterion when you want to match only the IPv4 packets from a single SA.

SA <mask> or SA /mask–length - Specifies packets received from an SA, where the SA is either a subnet or a group of IPv4 addresses. The mask format can be in either dotted-decimal format or CIDR format (number of significant bits). See How an ACE uses a mask to screen packets for matches.

SA Mask application: The mask is applied to the SA in the ACE to define which bits in a packet's SA must exactly match the SA configured in the ACL and which bits need not match.

Example

10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any address in the range of 10.10.10.(1 - 255).

NOTE:

Specifying a group of contiguous addresses may require more than one ACE. For more on how masks operate in ACLs, see How an ACE uses a mask to screen packets for matches.


[log]
This option can be used after the SA to generate an Event Log message if:
  • The action is deny or permit.

  • There is a match.

  • ACL logging is enabled.

(See Enabling ACL logging on the switch.)