Extended Access Lists
In the standard IP access list example shown previously, notice how you had to block all access
from the sales LAN to the finance department. What if you needed sales to gain access to a certain
server on the finance LAN but not to other network services for security reasons? With
a standard IP access list, you can’t allow users to get to one network service and not another.
Said another way, when you need to make decisions based on both source and destination
addresses, a standard access list won’t allow you to do that since it makes decisions based on
source address only.
But an extended access list will hook you up. That’s because extended access lists allow you
to specify source and destination addresses as well as the protocol and port number that identify
the upper-layer protocol or application. By using extended access lists, you can effectively
allow users access to a physical LAN and stop them from accessing specific hosts—or even
specific services on those hosts.
Table 7.4 lists your basic access-list commands:
TABLE 7 . 3 Assigning and Access List to a VTY Line
Command Meaning
access-class Places an access list on the VTY lines of a device
TABLE 7 . 4 Creating an Access List and Applying it to an Interface
Command Meaning
access-list Configures a single access-list statement into a router’s memory
for use in a complete access list that will be applied to an
interface