Extended ACLs

Day 35

Standard ACLs

Unlike numbered ACLs, named ACLs are configured with subcommands in a separate config mode. But in modern IOS, numbered ACLs can be configured in the exact same way as named ACLs. In the running config file, however, the ACL is displayed as it is configured using the traditional method. There are some advantages of configuring ACLs in a separate config mode:

Individual entries in the ACL can easily be deleted using the command no followed by the entry number. When configured from global config mode, individual entries cannot be deleted, only the whole ACL.
The sequence number can be entered manually. This allows inserting new entries in between other entries.
There is a resequencing function. The command is ip access-list resequence followed by ACL ID, starting sequence number, and increment.

Extended ACLs

Extended ACLs function almost the same as standard ACLs. They can be numbered or named just like standard ACLs. The ranges for numbered ACLs are 100-199 and 2000-2699. They are more precise than standard ACLs since they can match traffic based on more parameters. To configure numbered extended ACL, the command is access-list followed by a number, permit/deny, protocol, source, destination IP, etc. To configure from a separate config mode, the command is ip access-list extended followed by a name or a number. Then individual entries are entered as usual. In extended ACLs, to specify a /32 source or destination address, the host option or wildcard mask should be used. Extended ACLs should be applied as close to the source as possible, to limit how far the packets travel in the network before being denied.