Header

Sections

Syndication

Blogroll:

||||| ALL Cisco-Network ARTICLES |||||
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Extended Access Lists

Email to a friend email

email

Print version print

print

Extended Access Lists

Mar 24,2010 by alperen

small font

medium font

large font

Extended access lists provide a higher level of traffic control by being able to filter packets based on the protocol, source and/or destination IP address, and source and/or destination port number. For example, an extended access list can block an address (or group of addresses) in a particular network from accessing the FTP services on a specific server, while still allowing other services.

Creating an Extended Access List

As with standard lists, the access-list command is used to create each condition of the list—one condition per line. The lines are processed sequentially and can’t be edited or reordered once in place without the use of a tool like Notepad. The protocol being filtered determines the exact syntax options, but the basic syntax for IOS version 12.x includes the following items.

access-list acl# {permit | deny} {protocol | protocol-keyword}{source wildcard | any}
[operator source-port] {destination wildcard | any} [operator destination-port]
[precedence precedence] [tos tos] [log | log-input] [options]

acl#	A number (100–199 or 2,000–2,699) that identifies all statements in the list.
permit \| deny	The choice between does the packet pass through or not, or does it live or die.
protocol	The name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, or udp, or a number (0 to 255) representing an IP protocol number. Keyword ip includes ICMP, TCP, and UDP. Some protocols allow further qualifiers.
source \| any	The choice between selected host(s) or keyword ANY includes all hosts.
destination \| any	The choice between selected host(s) or keyword ANY includes all hosts.
wildcard	A wildcard mask identifying a host, subnet, network, or supernet. The keyword host with the source or destination is the same as address 0.0.0.0 (example host 10.0.0.1 is the same as 10.0.0.1 0.0.0.0).
operator	Compares source or destination ports, include eq (equal to), lt (less than), gt (greater than), neq (not equal to), and range (inclusive range—requires two port numbers).
source-port destination-port	Number (0–65,535) or name of a TCP or UDP port. Used with TCP or UDP filters.
precedence precedence	Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name.
tos tos	Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name.
log \| log-input	Logs matches against this entry. Log-input logs match against this entry, including input interface.

Any keywords or components covered in standard access lists are the same, except the Log option now reports relative protocol, source/destination addresses, and source/destination ports. Extended ACLs are applied to interfaces exactly the same as standard ACLs except that, whenever possible, they’re placed as close to the source as possible. Placing them close to the source conserves resources by not processing the packet through the network only to kill it off. Some router processes that use ACLs might only use standard, extended, or even named lists.

With extended access lists, every condition listed in the access list statement must match for the statement to match and the permit or deny condition to be applied. As soon as one condition fails, that statement is skipped and the next statement in the access list is compared. If all statements fail to match in their entirety, the packet is then discarded. Remember, once an ACL is applied, the default becomes to deny anything that isn’t explicitly permitted. Figure A-3 shows how each line of an extended access list is processed.

Click To expand

Figure A-3: Extended access list processing steps

Far too many options exist to remember for filtering with extended access lists, but using the question mark (?) help feature displays all the possibilities. The next sections cover the most common ones.

2472 times read

Related news

» Named Access Lists
by alperen posted on Mar 24,2010
» IP-ICMP-TCP-UDP access-list cisco
by alperen posted on Jul 26,2009
» access-list cisco IP Called ACLs
by alperen posted on Jul 26,2009
» Reference the Time Range
by alperen posted on Jul 08,2009
» Extended Access Lists
by alperen posted on Jul 08,2009

Did you enjoy this article?

(total 0 votes)

comment

Comments (0 posted)

More Top News

CCSP-Cisco Certified Security Professional

Cisco SAFE Implementation

Preparation Documents

Skills Required for the Exam

Cisco SAFE Implementation Questions and Answers

Access Control Lists Cisco

Access List Basics

Standard Access Lists

Extended Access Lists

TCP Access Lists

UDP Access Lists

ICMP Access Lists

Named Access Lists

Signature and Alarm Management Review

Signature and Alarm Management Review Questions and Answers

Managing Alarms

Event Viewer Customization

Preference Settings

Sensor Installation

Connecting to Your Network Sensor Appliance

Sensor Bootstrap

Sensor Installation and Configuration Review

Sensor Installation and Configuration Questions and Answers

Signature and Alarm Management

CIDS Signatures

Signature Series

Signature Implementations

Signature Classes

Signature Types

Signature Severity

Most Popular

Privilege Levels

Managing the Router's ARP Cache

Configuring SIP on a Cisco Router

Redistributing Static Routes into OSPF

Most Commented

Exploring the Navigation Bar

Named Access Lists

Object Grouping

Featured Author

alperen