Extended access lists provide a higher level of traffic control by being able to filter packets based on the protocol, source and/or destination IP address, and source and/or destination port number. For example, an extended access list can block an address (or group of addresses) in a particular network from accessing the FTP services on a specific server, while still allowing other services.
Creating an Extended Access List
As with standard lists, the access-list command is used to create each condition of the list—one condition per line. The lines are processed sequentially and can’t be edited or reordered once in place without the use of a tool like Notepad. The protocol being filtered determines the exact syntax options, but the basic syntax for IOS version 12.x includes the following items.
access-list acl# {permit | deny} {protocol | protocol-keyword}{source wildcard | any}
[operator source-port] {destination wildcard | any} [operator destination-port]
[precedence precedence] [tos tos] [log | log-input] [options]
|
acl# |
A number (100–199 or 2,000–2,699) that identifies all statements in the list. |
|
permit | deny |
The choice between does the packet pass through or not, or does it live or die. |
|
protocol |
The name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, or udp, or a number (0 to 255) representing an IP protocol number. Keyword ip includes ICMP, TCP, and UDP. Some protocols allow further qualifiers. |
|
source | any |
The choice between selected host(s) or keyword ANY includes all hosts. |
|
destination | any |
The choice between selected host(s) or keyword ANY includes all hosts. |
|
wildcard |
A wildcard mask identifying a host, subnet, network, or supernet. The keyword host with the source or destination is the same as address 0.0.0.0 (example host 10.0.0.1 is the same as 10.0.0.1 0.0.0.0). |
|
operator |
Compares source or destination ports, include eq (equal to), lt (less than), gt (greater than), neq (not equal to), and range (inclusive range—requires two port numbers). |
|
source-port destination-port |
Number (0–65,535) or name of a TCP or UDP port. Used with TCP or UDP filters. |
|
precedence precedence |
Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name. |
|
tos tos |
Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name. |
|
log | log-input |
Logs matches against this entry. Log-input logs match against this entry, including input interface. |
Any keywords or components covered in standard access lists are the same, except the Log option now reports relative protocol, source/destination addresses, and source/destination ports. Extended ACLs are applied to interfaces exactly the same as standard ACLs except that, whenever possible, they’re placed as close to the source as possible. Placing them close to the source conserves resources by not processing the packet through the network only to kill it off. Some router processes that use ACLs might only use standard, extended, or even named lists.
With extended access lists, every condition listed in the access list statement must match for the statement to match and the permit or deny condition to be applied. As soon as one condition fails, that statement is skipped and the next statement in the access list is compared. If all statements fail to match in their entirety, the packet is then discarded. Remember, once an ACL is applied, the default becomes to deny anything that isn’t explicitly permitted. Figure A-3 shows how each line of an extended access list is processed.
Far too many options exist to remember for filtering with extended access lists, but using the question mark (?) help feature displays all the possibilities. The next sections cover the most common ones.