Access control list commands
Access control list (ACL) mode provides the commands to create or modify an ACL.
To enter the mode, use the global acl command. To delete an ACL, use the no acl command. For more information, see acl.
While in this mode, use the commands in the following table to modify the ACL.
- To view the current configuration, use the show command.
- To restore default values, use the reset command.
- To exit this configuration mode without saving changes to the running configuration, use the cancel command.
- To exit this configuration mode and save changes to the running configuration, use the exit command.
| Command | Purpose |
|---|---|
| admin-state | This command sets the administrative state for the configuration. |
| allow | This command identifies IP addresses to grant access. |
| deny | This command identifies IP addresses to deny access. |
allow
This command identifies IP addresses to grant access.
- Syntax
- allow
address/netmask
allow any
- Parameters
-
- address/netmask
- Defines a range of IP addresses. Specify the IP address in the format specific to the IP family (IPv4 or IPv6). Specify the net mask in CIDR (slash) format. In CIDR format, the integer specifies the prefix length of the network portion of the address.
- Guidelines
- The allow command defines the
allowclauses for the ACL. This clause identifies which IP addresses to grant access. If the ACL contains onlydenyclauses, the last clause in the ACL must be theallowclause that grants access to all other IP addresses.- For only IPv4, specify
allow any - For IPv4 and IPv6, specify
allow ::/0
- For only IPv4, specify
- Example
- Enters ACL configuration mode for the
RestrictedACL. Limits access to IP addresses 10.10.10.224 through 10.10.10.255, 192.168.14.1, and 10.10.100.1. All other IP addresses are denied access.# acl Restricted ACL configuration mode # allow 10.10.10.0/27 # allow 192.168.14.1/32 # allow 10.10.100.1/32 # exit
deny
This command identifies IP addresses to deny access.
- Syntax
- deny
address/netmask
deny any
- Parameters
-
- address/netmask
- Defines a range of IP addresses. Specify the IP address in the format specific to the IP family (IPv4 or IPv6). Specify the net mask in CIDR (slash) format. In CIDR format, the integer specifies the prefix length of the network portion of the address.
- Guidelines
- The deny command defines an
denyclause for the ACL. This clause identifies which IP addresses to deny access. When the ACL contains onlydenyclauses, the last clause in the ACL must be theallowclause that grants access to all other IP addresses.- For only IPv4, specify
allow any - For IPv4 and IPv6, specify
allow ::/0
- For only IPv4, specify
- Example
- Enters ACL configuration mode for the
PublicACL. Denies access to IP addresses 10.0.0.0 through 10.255.255.255 and to addresses 192.168.0.0 through 192.168.255.255. All other IP addresses are granted access.# acl Public ACL configuration mode # deny 10.0.0.0/8 # deny 192.168.0.0/16 # allow any # exit