Extended IP Access Lists

Although the same rules apply for all access lists, extended access lists allow for a far greater level of control because decisions are made at higher levels of the OSI model.

The following is syntax of an extended access-list command:

access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard ip access-group access-list-number {in | out}

The access-list-number value must be between 100 and 199 to create an extended access list.

Figure 2-5 The Placement of a Standard Access List—Correct Placement access-list 10 deny 10.10.10.0 0.0.0.255 access-list 10 permit any any interface E0 ip access-group 10 out

Table 2-2 explains the previous syntax.

Table 2-2 Extended access-list Command Explanation

Table 2-2 explains the previous syntax.

Table 2-2 Extended access-list Command Explanation

Command

Description

access-list access-list-number

Gives the number of an access list. This is a decimal number from 100 to 199.

{deny 1 permit}

Denies or permits access if the conditions are matched.

source source-wildcard

Gives the source address and the wildcard mask.

destination destination-wildcard

Gives the destination address and the wildcard mask.

[precedence precedence]

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7, or by name, as listed on the CCO web page in the section "Usage Guidelines."

[tos tos]

(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15, or by name as, listed on the

CCO web page in the section Usage Guidelines.

[established] (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

(Optional) Gets access list logging messages, including violations.

In recent versions of the IOS, many additional options have been given to the creation of the access lists. These include the use of named access lists, as well as the capability to set timeouts on the access lists. This is outside the scope of this exam and, therefore, also the exam guide. For further details, refer to the Cisco CCO web pages for the "Managing the System" chapter in the Configuration Fundamentals Configuration Guide.

WARNING When using extended access lists to prevent application connection, it is easy to become confused. TCP and UDP are the common protocols and these include both an optional source port and an optional destination port. A common mistake is to specify stop telnet using a source port of 23 instead of a destination port of 23.

When using extended access lists, it is important to consider the sequence of conditions within the list. Because top-down logic is employed, the ordering of the list may alter the entire purpose of the list.

Was this article helpful?

0 0

Post a comment