Manualshelf

Instruction Manual

ManualsBrandsCisco ManualsNetwork RouterCisco Wireless Service Module 2
121122123124125126127128129130
125 - 238 CCNA 2: Routers and Routing Basics v3.1 Instructor Guide – Module 11 Copyright © 2004, Cisco Systems, Inc.
11.2.2 Extended ACLs
Extended ACLs are used more often than standard ACLs because they provide a greater
range of control. Extended ACLs check the source and destination packet addresses and also
check for protocols and port numbers. This provides greater flexibility to define what the ACL
will filter. Packets can be permitted or denied access based on where the packet originated
and its destination or protocol types and port addresses. For a single ACL, multiple statements
may be configured. The syntax for the extended ACL statement can get very long and will
often wrap in the terminal window. The wildcards also have the option of using the host or
any keywords in the command.
The extended ACL uses the source and destination address. Ask students what ports are
used for FTP, Telnet, SMTP, HTTP, and DNS. The students need to have these ports
memorized. The first part of the IP extended ACL is the same as the IP standard ACL. The
number is within the range of 100 to 199.
rt1(config)#access-list 101 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
The permit or deny is the same as the standard.
rt1(config)#access-list 101 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
In an extended ACL, the protocol is listed after the permit or deny statement. Then enter the
source address with the wildcard mask and destination address with the wildcard mask.
rt1(config)#access-list 101 permit tcp 172.16.0.1 0.0.0.0
192.168.0.0 0.0.255.255 ?
ack Match on the ACK bit
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input
interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number