EXTENDED ACCESS CONTROL LIST'S(ACL'S)
Standard Access Control Lists can filter the IP traffic ONLY based on the source IP address in an IP data-gram packet.
Extended Access Control Lists can filter the traffic based on many other factors.• Source and destination IP addresses.
• Protocols like IP, TCP, UDP, ICMP etc.
• Protocol information Port numbers for TCP and UDP, or message types for ICMP.
Extended Access Control Lists can be created by using the “access-lists” IOS command. The syntax of “access list” IOS command to create a Extended Access Control List is shown below.
Router(config)# access-list [Access_list_number] permit|deny
IP_protocol source_address source_wildcard_mask
[source_protocol_information],destination_address destination_wildcard_mask
[destination_protocol_information] [log]
Access_list_number: For Extended Access Control List, Access list number must be between 100–199 or 2000–2699.
permit | deny: Whether to permit or deny traffic.
IP_protocol:
IP protocol to match. The IP protocols can be IP, ICMP, TCP, GRE, UDP, IGRP, EIGRP, IGMP, IPINIP, NOS, and OSPF.source_address: Source IP address.
source_wildcard_mask: Source wildcard mask.
source_protocol_information: Additional source protocol information like TCP or UDP Port numbers
destination_address: Destination IP address.
destination_wildcard_mask: Destination wildcard mask.
destination_protocol_information: Additional destination protocol information like TCP or UDP Port numbers.
log: Specifies whether logging is required either to console or to a syslog server.
wildcard mask: Instead of specifying a single IP address, you can also permit or deny networks/subnets entirely or partly by using wildcard masks, also known as inverse masks. Wildcard masks is optional in above IOS command.