Extended ACLs
Like standard ACLs, extended ACLs check the source packet addresses, destination address, protocols and port numbers. Extended Access Control Lists (ACLs) provide a greater range of control and, therefore, an addition to your security solution. Extended ACLs provides for more precise traffic-filtering control, you can use extended ACLs numbered 100 to 199 and 2000 to 2699 providing a total of 800 possible extended ACLs. Extended ACLs can also be named.
Extended Access Control Lists Offers a greater range of criteria on which to base the ACL.
For example, you can use extended ACL to simultaneously allow e-mail traffic from a network to a specific destination while denying file transfers and web browsing.
A specific built extended ACLs Uses it’s logical decisions to filter on source and destination addresses, and protocol and port numbers.
Lets look at it this way; Extended ACLs can be built to:
1. Filter on the source address.
2.Then filter the port and protocol address,
3. Filters on the destination address.
Then on the port and protocol of the destination, then makes a final permit / deny decision.
The examples below shows how an administrator specifies a TCP or UDP port number by placing it at the end of the extended ACL statement. Logical operations can be used, such as equal (eq), not equal (neq), greater than (gt), and less than (lt).
Extended Access List examples
Using Port Numbers
acces-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 23
acces-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 21
acces-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 20
Using keywords
acces-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq telnet
acces-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq ftp
acces-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq ftp-data |
Use the following command to generate port numbers and keywords while building an ACL
Router1(config)#access-list 101 permit tcp any eq ?
