[joshd.ca] [~] $_

Easy Understanding of Cisco’s Extended ACL’s

joshd-wp

Extended Access Control Lists (ACL) control traffic by comparing the source and destination address of the IP packets to whichever addresses you have configured within the ACL.

A standard ACL only compares the source address of the IP packet to whichever address is configured in the ACL and allows or denies it based on the ACL, the destination of the packet and the ports involved do not matter. A standard ACL also does not have the ability to filter based on the protocol type, whereas with an extended ACL you can filter IP, ICMP, TCP and UDP packets individually and specify specific ports.

Extended Access Control Lists (ACL) control traffic by comparing the source and destination address of the IP packets to whichever addresses you have configured within the ACL.

A standard ACL only compares the source address of the IP packet to whichever address is configured in the ACL and allows or denies it based on the ACL, the destination of the packet and the ports involved do not matter. A standard ACL also does not have the ability to filter based on the protocol type, whereas with an extended ACL you can filter IP, ICMP, TCP and UDP packets individually and specify specific ports.

You would typically be using extended ACLs when you want to create specific packet filtering rules that will be applied to a host, thus creating a more effective, and specific, packet filtering firewall than you would receive by just creating standard ACLs. There is limiting in the numbers which can be used by standard ACLs and extended ACLs. You can have 99 standard ACLs ranging in number from 1 to 99, extended ACLs range is assigned from 100 to 199.

Let’s take the following ACL and check if it is valid:

access-list 101 permit tcp 10.10.10.1 0.0.0.255 host 10.1.1.2 eq 80

The only problem with the ACL above is that 10.10.10.1 should be 10.10.10.0 because you have specified a source-wildcard following the host address which is configuring the ACL to match any host on the 10.10.10.x network, thus nullifying a specific host address, such as 10.10.10.1.

The correct ACL should be:

access-list 101 permit tcp 10.10.10.0 0.0.0.255 host 10.1.1.2 eq 80

This would allow for any host from the 10.10.10.x network to connect to the host 10.1.1.2 on port 80 (HTTP).

I would highly recommend the following Cisco URL on Configuring IP Access Lists, as it provides a wealth of information on creating, configuring and defining the different types of ACLs.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Enjoy!

Posted in Uncategorized