Extended Acls - Cisco CCNA 2 Instructor Manual

11.2.2 Extended ACLs

Extended ACLs are used more often than standard ACLs because they provide a greater
range of control. Extended ACLs check the source and destination packet addresses and also
check for protocols and port numbers. This provides greater flexibility to define what the ACL
will filter. Packets can be permitted or denied access based on where the packet originated
and its destination or protocol types and port addresses. For a single ACL, multiple statements
may be configured. The syntax for the extended ACL statement can get very long and will
often wrap in the terminal window. The wildcards also have the option of using the host or
any keywords in the command.
The extended ACL uses the source and destination address. Ask students what ports are
used for FTP, Telnet, SMTP, HTTP, and DNS. The students need to have these ports
memorized. The first part of the IP extended ACL is the same as the IP standard ACL. The
number is within the range of 100 to 199.
rt1(config)#access-list 101 ?
deny
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit
remark
The permit or deny is the same as the standard.
rt1(config)#access-list 101 permit ?
<0-255> An IP protocol number
ahp
eigrp
esp
gre
icmp
igmp
igrp
ip
ipinip
nos
ospf
pcp
pim
tcp
udp
In an extended ACL, the protocol is listed after the permit or deny statement. Then enter the
source address with the wildcard mask and destination address with the wildcard mask.
rt1(config)#access-list 101 permit tcp 172.16.0.1 0.0.0.0
192.168.0.0 0.0.255.255 ?
ack
eq
established Match established connections
fin
gt
log
log-input
interface
lt
neq
125 - 238 CCNA 2: Routers and Routing Basics v3.1 Instructor Guide – Module 11
Specify packets to reject
Specify packets to forward
Access list entry comment
Authentication Header Protocol
Cisco's EIGRP routing protocol
Encapsulation Security Payload
Cisco's GRE tunneling
Internet Control Message Protocol
Internet Gateway Message Protocol
Cisco's IGRP routing protocol
Any Internet Protocol
IP in IP tunneling
KA9Q NOS compatible IP over IP tunneling
OSPF routing protocol
Payload Compression Protocol
Protocol Independent Multicast
Transmission Control Protocol
User Datagram Protocol
Match on the ACK bit
Match only packets on a given port number
Match on the FIN bit
Match only packets with a greater port number
Log matches against this entry
Log matches against this entry, including input
Match only packets with a lower port number
Match only packets not on a given port number
Copyright © 2004, Cisco Systems, Inc.