Mar 24,2010 00:00
Extended access lists provide a higher level of traffic control by being able to filter packets based on the protocol, source and/or destination IP address, and source and/or destination port number. For example, an extended access list can block an address (or group of addresses) in a particular network from accessing the FTP services on a specific server, while still allowing other services.
As with standard lists, the access-list command is used to create each condition of the list—one condition per line. The lines are processed sequentially and can’t be edited or reordered once in place without the use of a tool like Notepad. The protocol being filtered determines the exact syntax options, but the basic syntax for IOS version 12.x includes the following items.
Any keywords or components covered in standard access lists are the same, except the Log option now reports relative protocol, source/destination addresses, and source/destination ports. Extended ACLs are applied to interfaces exactly the same as standard ACLs except that, whenever possible, they’re placed as close to the source as possible. Placing them close to the source conserves resources by not processing the packet through the network only to kill it off. Some router processes that use ACLs might only use standard, extended, or even named lists.
With extended access lists, every condition listed in the access list statement must match for the statement to match and the permit or deny condition to be applied. As soon as one condition fails, that statement is skipped and the next statement in the access list is compared. If all statements fail to match in their entirety, the packet is then discarded. Remember, once an ACL is applied, the default becomes to deny anything that isn’t explicitly permitted. Figure A-3 shows how each line of an extended access list is processed.
Far too many options exist to remember for filtering with extended access lists, but using the question mark (?) help feature displays all the possibilities. The next sections cover the most common ones.