Extended ACLs
Day 35
Standard ACLs
Unlike numbered ACLs, named ACLs are configured with subcommands in a separate config mode. But in modern IOS, numbered ACLs can be configured in the exact same way as named ACLs. In the running config file, however, the ACL is displayed as it is configured using the traditional method. There are some advantages of configuring ACLs in a separate config mode:
Individual entries in the ACL can easily be deleted using the command
no
followed by the entry number. When configured from global config mode, individual entries cannot be deleted, only the whole ACL.The sequence number can be entered manually. This allows inserting new entries in between other entries.
There is a resequencing function. The command is
ip access-list resequence
followed by ACL ID, starting sequence number, and increment.
Extended ACLs
Extended ACLs function almost the same as standard ACLs. They can be numbered or named just like standard ACLs. The ranges for numbered ACLs are 100-199 and 2000-2699. They are more precise than standard ACLs since they can match traffic based on more parameters. To configure numbered extended ACL, the command is access-list
followed by a number, permit
/deny
, protocol, source, destination IP, etc. To configure from a separate config mode, the command is ip access-list extended
followed by a name or a number. Then individual entries are entered as usual. In extended ACLs, to specify a /32
source or destination address, the host
option or wildcard mask should be used. Extended ACLs should be applied as close to the source as possible, to limit how far the packets travel in the network before being denied.
Matching the port numbers
When matching TCP/UDP, source and/or destination port numbers can be specified after the address to match. For example,
eq 80
- equal to port 80gt 80
- greater than 80lt 80
- less than 80neq 80
- not 80range 80 100
- from port 80 to port 100
You can also enter the protocol name instead of the port number. There are many more options, e.g.:
ack
- match the TCP ACK flagfin
- match the TCP FIN flagsyn
- match the TCP SYN flagttl
- match packets with a specific TTL valuedscp
- match packets with a specific DSCP value
Last updated