Access Control List Part-2


Extended ACLs:

Extended ACLs were introduced in Cisco IOS Release 8.3. Extended ACLs is used to  control traffic by comparing the source and destination of the IP packets to the addresses configured in the ACL. Extended ACLs can also filter packets using protocol port numbers for a more filter.



■ Each statement in an ACL is known as an Access control Entry (ACE).
■ Commonly ACEs are commonly called ACL statements.
■ The type of ACL determines what is filtered in the network.

■ Standard filters only on source IP in the network.
■ Extended filters are based on source IP, destination IP, protocol number, and port number.
■ Use only one ACL per interface/per protocol (IPv4 or IPv6), or per direction.
■ Put your most specific statements at the top of the ACL. The most general statements should be at the bottom of the ACL.
■ The last test in any ACL is the implicit deny statement. We cannot see it, but it is there.
■ Every ACL must have at least one permit statement in the network. Otherwise, we will deny everything.
■ Put extended ACLs as close as possible to the source network or device when applying ACLs to an interface.
■ Put standard ACLs as close as possible to the destination network or device when applying ACLs to an interface.
■ We can use numbers when creating a named ACL. The name we choose is the number: For example, Ip access-list extended 150 creates an extended ACL named 150.
■ An ACL can only filter traffic going through a router, it’s depending on how the ACL is applied.
■ Access lists that are applied to the interfaces do not filter the traffic that originates from that router.
■ When restricting access through the Telnet, We use the access-class command, which is used when applying an ACL to any physical interface.

No comments