All Cisco-Network Study Notes: Extended ACLs

Extended ACLs

Extended ACLs

Extended ACLs are acclimated to clarify more-specific cartage based on the antecedent address, the destination address, and

specific protocols, ports, and flags. A sample command syntax architecture for assorted types of continued ACLs for

each agreement is apparent in the account that follows:

To ascertain an continued IP ACL:

Code View:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} agreement antecedent source-wildcard destination destination-wildcard

[precedence precedence] [tos tos] [log | log-input] [time-range time-range-name]

[fragments]

To ascertain an continued TCP ACL:

Code View:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} tcp antecedent source-wildcard [operator [port]] destination destinationwildcard

[operator [port]] [established] [precedence precedence] [tos tos] [log

| log-input] [time-range time-range-name] [fragments]

To ascertain an continued User Datagram Agreement (UDP) ACL:

Code View:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} udp antecedent source-wildcard [operator [port]] destination destinationwildcard

[operator [port]] [precedence precedence] [tos tos] [log | log-input]

[time-range time-range-name] [fragments]

To ascertain an continued Internet Control Message Agreement (ICMP) ACL:

Code View:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} icmp antecedent source-wildcard destination destination-wildcard [icmp-type

[icmp-code] | icmp-message] [precedence precedence] [tos tos] [log | log-input]

[time-range time-range-name] [fragments]

To ascertain an continued Internet Group Management Agreement (IGMP) ACL:

Code View:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} igmp antecedent source-wildcard destination destination-wildcard [igmptype]

[precedence precedence] [tos tos] [log | log-input] [time-range timerange-

name] [fragments]

In all Cisco IOS Software releases, the access-list-number for continued admission lists can be 101 to 199 or the

expanded numbers 2000 to 2699, as apparent in Table 2-6.

The afterward archetype permits Simple Mail Transfer Agreement (SMTP) (e-mail) cartage to host 172.16.1.1, Domain

Name System (DNS) traffic, and ICMP answer and answer acknowledgment packets sourced from all hosts:

Step 1. Ascertain an continued ACL.

Router(config)# access-list 101 admittance tcp any host 172.16.1.1 eq smtp

Router(config)# access-list 101 admittance tcp any any eq domain

Router(config)# access-list 101 admittance udp any any eq domain

Router(config)# access-list 101 admittance icmp any any echo

Router(config)# access-list 101 admittance icmp any any echo-reply

Step 2. Apply the ACL to an interface.

Router(config)# interface Serial0

Router(config-if)# ip access-group 101 in