Networking Related: ACCESS CONTROL LISTS

ACCESS CONTROL LISTS

EXTENDED ACCESS CONTROL LIST'S(ACL'S)

Standard Access Control Lists can filter the IP traffic ONLY based on the source IP address in an IP data-gram packet.

Extended Access Control Lists can filter the traffic based on many other factors.

• Source and destination IP addresses.

• Protocols like IP, TCP, UDP, ICMP etc.

• Protocol information Port numbers for TCP and UDP, or message types for ICMP.

Extended Access Control Lists can be created by using the “access-lists” IOS command. The syntax of “access list” IOS command to create a Extended Access Control List is shown below.

Router(config)# access-list [Access_list_number] permit|deny
IP_protocol source_address source_wildcard_mask
[source_protocol_information],destination_address destination_wildcard_mask
[destination_protocol_information] [log]
Access_list_number: For Extended Access Control List, Access list number must be between 100–199 or 2000–2699.
permit | deny: Whether to permit or deny traffic.

IP_protocol:

IP protocol to match. The IP protocols can be IP, ICMP, TCP, GRE, UDP, IGRP, EIGRP, IGMP, IPINIP, NOS, and OSPF.

source_address: Source IP address.
source_wildcard_mask: Source wildcard mask.
source_protocol_information: Additional source protocol information like TCP or UDP Port numbers
destination_address: Destination IP address.
destination_wildcard_mask: Destination wildcard mask.
destination_protocol_information: Additional destination protocol information like TCP or UDP Port numbers.

log: Specifies whether logging is required either to console or to a syslog server.

wildcard mask: Instead of specifying a single IP address, you can also permit or deny networks/subnets entirely or partly by using wildcard masks, also known as inverse masks. Wildcard masks is optional in above IOS command.