Extended IP ACLs

Extended IP ACLs were introduced in Cisco IOS Software Release 8.3. Extended IP ACLs control traffic by not only comparing the source and destination IP addresses but also comparing the source and destination port numbers of the IP packets to those configured in the ACL.

The following is the command syntax format of extended IP ACLs:

ip access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard

Canada (Destination)

Figure 11-3. Border Patrol (ACL) Stopping a Truck from Mexico (Packet)

Leaving the United States

Mexico (Source)

[precedence precedence] [tos tos] [log | log-input] [time-range time-range-name]

In all software releases, the access-list-number can be 101 to 199. In Cisco IOS Software Release 12.0.1, extended IP ACLs began using additional numbers (2000 to 2699). These additional numbers are referred to as expanded IP ACLs . Cisco IOS Software Release 11.2 added the ability to use the list name in extended IP ACLs.

Example 11-2 shows an extended IP ACL used to permit traffic on the 192.168.100.x network (inside) and to receive ping responses from the outside while preventing unsolicited pings from people outside (permitting all other traffic).

0 0

Post a comment