Extended ACLs
Last updated
Last updated
Extended ACLs function mostly the same as standard ACLs.
They can be numbered or named, just like standard ACLS.
Numbered ACLs use the following ranges: 100 - 199, 2000 - 2699
They are processed from top to bottom, just like standard ACLs.
However, they can match traffic based on more paremeters, so they are more precise (and more complex) than standard ACLs.
We will focus on matching based on these main parameters: Layer 4 protocol/port, source address, and destination address.
R1(config)# access-list <number> [permit | deny] <protocol> <src-ip> <dst-ip>
R1(config)# ip access-list extended {<name> | <number>}
R1(config-ext-nacl)# [<seq-num>] [permit | deny] <protocol> <src-ip> <dst-ip>
When matching TCP/UDP, you can optionally specify the source and/or destination port numbers to match.
R1(config-ext-nacl)# deny tcp <src-ip> [eq | gt | lt | neq | range] <src-prt-num> <dst-ip> [eq | gt | lt | neq | range] <dst-port-num>
eq 80 = equal to port 80
gt 80 = greater than 80 (81 and greater)
lt 80 = less than 80 (79 and less)
neq 80 = not 80
range 80 100 = from port 80 to port 100
R1(config-std-nacl)# deny tcp any host 1.1.1.1 eq 80
Deny all packets destinated for IP address 1.1.1.1/32, TCP port 80
Checking the configurations.