15 – Extended Access List 9,097 views

Posted by Mo7sin in Access List, CCNAX (200 - 120) On 26/01/2012 at 1:05 AM


Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.

This is the command syntax format of extended ACLs. Lines are wrapped here for spacing considerations.
IP

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny|permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log|log-input] [time-range time-range-name]

ICMP

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny|permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |icmp-message] [precedence precedence] [tos tos] [log|log-input] [time-range time-range-name]

TCP

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny|permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log|log-input] [time-range time-range-name]

UDP

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny|permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log|log-input] [time-range time-range-name]

In all software releases, the access-list-number can be 101 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699). These additional numbers are referred to as expanded IP ACLs. Cisco IOS Software Release 11.2 added the ability to use list name in extended ACLs.

The value of 0.0.0.0/255.255.255.255 can be specified as any. After the ACL is defined, it must be applied to the interface (inbound or outbound). In early software releases, out was the default when a keyword out or in was not specified. The direction must be specified in later software releases.

interface <interface> ip access-group {number|name} {in|out}

This extended ACL is used to permit traffic on the 10.1.1.x network (inside) and to receive ping responses from the outside while it prevents unsolicited pings from people outside, permitting all other traffic.

interface Ethernet0/1 ip address 172.16.1.2 255.255.255.0 ip access-group 101 in access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo access-list 101 permit ip any 10.1.1.0 0.0.0.255

Note: Some applications such as network management require pings for a keepalive function. If this is the case, you might wish to limit blocking

Read more…


%d bloggers like this: