Skip to main content

Extended ACLs

Extended ACLs 
11.2.2
Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses and can also check for protocols and port numbers. This gives greater flexibility to describe what the ACL will check. Access can be permitted or denied based on where a packet originates, its destination, protocol type, and port addresses. An extended ACL can simultaneously allow e-mail traffic from Fa0/0 to specific S0/0 destinations and deny file transfers and Web browsing. When packets are discarded, some protocols send an echo packet to the sender, stating that the destination was unreachable.
For a single ACL, multiple statements may be configured. Each statement should have the same access list number, to relate the statements to the same ACL. There can be as many condition statements as needed, limited only by the available router memory. Of course, the more statements there are, the more difficult it will be to comprehend and manage the ACL.
The syntax for the extended ACL statement can get very long and often will wrap in the terminal window. The wildcards also have the option of using the host or anykeywords in the command.
At the end of the extended ACL statement, an administrator can specify a TCP or UDP port number. The well-known port numbers for TCP/IP are shown in Figure . Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt). The extended ACL will perform these operations on specific protocols. Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS). In Cisco IOS Software Release 12.0.1, extended ACLs began using additional numbers (2000 to 2699) to provide a maximum of 799 possible extended ACLs. These additional numbers are referred to as expanded IP ACLs.
The ip access-group command links an existing extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. The format of the command is as follows:
Router(config-if)#ip access-group access-list-number {in | out }
The Lab Activities on this page will help students plan, configure, and apply extended ACLs to filter network traffic.
The next page will describe named ACLs.

Comments

Post a Comment

Popular posts from this blog

OSI layers / Peer-to-peer communications / TCP/IP model

OSI layers 2.3.4 This page discusses the seven layers of the OSI model. The OSI reference model is a framework that is used to understand how information travels throughout a network. The OSI reference model explains how packets travel through the various layers to another device on a network, even if the sender and destination have different types of network media. In the OSI reference model, there are seven numbered layers, each of which illustrates a particular network function. - Dividing the network into seven layers provides the following advantages: • It breaks network communication into smaller, more manageable parts. • It standardizes network components to allow multiple vendor development and support. • It allows different types of network hardware and software to communicate with each other. • It prevents changes in one layer from affecting other layers. • It divides network communication into smaller parts to make learning it easier to understand. In the foll...
Post a Comment
Read more

Advantages and disadvantages of link-state routing

Advantages and disadvantages of link-state routing 2.1.5  This page lists the advantages and disadvantages of link-state routing protocols. The following are advantages of link-state routing protocols:  Link-state protocols use cost metrics to choose paths through the network. The cost metric reflects the capacity of the links on those paths. Link-state protocols use triggered updates and LSA floods to immediately report changes in the network topology to all routers in the network. This leads to fast convergence times. Each router has a complete and synchronized picture of the network. Therefore, it is very difficult for routing loops to occur. Routers use the latest information to make the best routing decisions. The link-state database sizes can be minimized with careful network design. This leads to smaller Dijkstra calculations and faster convergence. Every router, at the very least, maps the topology of it...
Post a Comment
Read more

Symmetric and asymmetric switching / Memory buffering

Symmetric and asymmetric switching   4.2.8  This page will explain the difference between symmetric and asymmetric switching. LAN switching may be classified as symmetric or asymmetric based on the way in which bandwidth is allocated to the switch ports. A symmetric switch provides switched connections between ports with the same bandwidth. An asymmetric LAN switch provides switched connections between ports of unlike bandwidth, such as a combination of 10-Mbps and 100-Mbps ports. Asymmetric switching enables more bandwidth to be dedicated to the server switch port in order to prevent a bottleneck. This allows smoother traffic flows where multiple clients are communicating with a server at the same time. Memory buffering is required on an asymmetric switch. The use of buffers keeps the frames contiguous between different data rate ports. The next page will discuss memory buffers. Memory buffering   4.2.9  This page will explain what a memory buffer is...
Post a Comment
Read more