Skip to main content

Extended ACLs

Extended ACLs 
11.2.2
Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses and can also check for protocols and port numbers. This gives greater flexibility to describe what the ACL will check. Access can be permitted or denied based on where a packet originates, its destination, protocol type, and port addresses. An extended ACL can simultaneously allow e-mail traffic from Fa0/0 to specific S0/0 destinations and deny file transfers and Web browsing. When packets are discarded, some protocols send an echo packet to the sender, stating that the destination was unreachable.
For a single ACL, multiple statements may be configured. Each statement should have the same access list number, to relate the statements to the same ACL. There can be as many condition statements as needed, limited only by the available router memory. Of course, the more statements there are, the more difficult it will be to comprehend and manage the ACL.
The syntax for the extended ACL statement can get very long and often will wrap in the terminal window. The wildcards also have the option of using the host or anykeywords in the command.
At the end of the extended ACL statement, an administrator can specify a TCP or UDP port number. The well-known port numbers for TCP/IP are shown in Figure . Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt). The extended ACL will perform these operations on specific protocols. Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS). In Cisco IOS Software Release 12.0.1, extended ACLs began using additional numbers (2000 to 2699) to provide a maximum of 799 possible extended ACLs. These additional numbers are referred to as expanded IP ACLs.
The ip access-group command links an existing extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. The format of the command is as follows:
Router(config-if)#ip access-group access-list-number {in | out }
The Lab Activities on this page will help students plan, configure, and apply extended ACLs to filter network traffic.
The next page will describe named ACLs.

Comments

Post a Comment

Popular posts from this blog

OSI layers / Peer-to-peer communications / TCP/IP model

OSI layers 2.3.4 This page discusses the seven layers of the OSI model. The OSI reference model is a framework that is used to understand how information travels throughout a network. The OSI reference model explains how packets travel through the various layers to another device on a network, even if the sender and destination have different types of network media. In the OSI reference model, there are seven numbered layers, each of which illustrates a particular network function. - Dividing the network into seven layers provides the following advantages: • It breaks network communication into smaller, more manageable parts. • It standardizes network components to allow multiple vendor development and support. • It allows different types of network hardware and software to communicate with each other. • It prevents changes in one layer from affecting other layers. • It divides network communication into smaller parts to make learning it easier to understand. In the foll...
Post a Comment
Read more

PC Basic...

• Backplane – A backplane is an electronic circuit board containing circuitry and sockets into which additional electronic devices on other circuit boards or cards can be plugged; in a computer, generally synonymous with or part of the motherboard. • Network interface card (NIC) – An expansion board inserted into a computer so that the computer can be connected to a network. • Video card – A board that plugs into a PC to give it display capabilities. • Audio card – An expansion board that enables a computer to manipulate and output sounds. • Parallel port – An interface capable of transferring more than one bit simultaneously that is used to connect external devices such as printers. • Serial port – An interface that can be used for serial communication in which only one bit is transmitted at a time. • Mouse port – A port used to connect a mouse to a PC. • USB port – A Universal Serial Bus connector. A USB port connects devices such as a mouse or printer to the computer ...
Post a Comment
Read more

1.2.2 RIP V2 Features

 1.2.2 RIP V2 Features This page will discuss RIP v2, which is an improved version of RIP v1. Both versions of RIP share the following features: It is a distance vector protocol that uses a hop count metric. It uses hold down timers to prevent routing loops – default is 180 seconds. It uses split horizon to prevent routing loops. It uses 16 hops as a metric for infinite distance. RIP v2 provides prefix routing, which allows it to send out subnet mask information with the route update. Therefore, RIP v2 supports the use of classless routing in which different subnets within the same network can use different subnet masks, as in VLSM. RIP v2 provides for authentication in its updates. A set of keys can be used on an interface as an authentication check. RIP v2 allows for a choice of the type of authentication to be used in RIP v2 packets. The choice can be either clear text or Message-Digest 5 (MD5) encryption. Clear text is the default. MD5 can be used t...
Post a Comment
Read more