Extended ACLs
11.2.2
Extended ACLs are used more often than standard ACLs because they
provide a greater range of control. Extended ACLs check the source and
destination packet addresses and can also check for protocols and port numbers.
This gives greater flexibility to describe what the ACL will check. Access can
be permitted or denied based on where a packet originates, its destination,
protocol type, and port addresses. An extended ACL can simultaneously allow
e-mail traffic from Fa0/0 to specific S0/0 destinations and deny file transfers
and Web browsing. When packets are discarded, some protocols send an echo
packet to the sender, stating that the destination was unreachable. For a single ACL, multiple statements may be configured. Each statement should have the same access list number, to relate the statements to the same ACL. There can be as many condition statements as needed, limited only by the available router memory. Of course, the more statements there are, the more difficult it will be to comprehend and manage the ACL.
The syntax for the extended ACL statement can get very long and often will wrap in the terminal window. The wildcards also have the option of using the host or anykeywords in the command.
At the end of the extended ACL statement, an administrator can specify a TCP or UDP port number. The well-known port numbers for TCP/IP are shown in Figure . Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt). The extended ACL will perform these operations on specific protocols. Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS). In Cisco IOS Software Release 12.0.1, extended ACLs began using additional numbers (2000 to 2699) to provide a maximum of 799 possible extended ACLs. These additional numbers are referred to as expanded IP ACLs.
The ip access-group command links an existing extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. The format of the command is as follows:
Router(config-if)#ip
access-group access-list-number {in | out }
The Lab Activities on this page will help students plan,
configure, and apply extended ACLs to filter network traffic.The next page will describe named ACLs.
No comments:
Post a Comment