Standard vs. Extended Access Lists (ACL)

There are 2 kinds of ACL’s

Standard & Extended

Standard lists are implemented by the destination

Extended lists are implemented by the source

To see your current access lists type:

Router(config)# show access list

Standard

 

Extended

First you must create an access list by giving it a name. I am calling this access list 101. Remember you can have 1 access list per port, per protocol, per direction.

ip access-group 101 in
ip access-group 102 out
ip access 101 permit protocol source ip wildcardmask destination ip wildcardmask *port

*= optional ; protocol options (ip, tcp,udp, icmp)

(Here are some more examples)

ip access 101 deny tcp 192.168.0.1 0.0.0.255 192.168.2.0 0.0.0.255
// wildcards are opposite subnet masks
        (this example would stop any computer that starts with 192.168.0.x from sending an ip packet to any device with 192.168.2.x)

ip access 101 deny icmp 10.1.2.3 0.0.255.255 172.16.5.1 0.0.0.255
        (this example would stop any computer that starts with 10.1.x.x from sending an ip packet to any device with 172.16.5.x)
ip access 101 deny udp 10.1.2.3 0.0.255.255 172.16.5.1 0.0.0.255
        (this example would stop any computer that starts with 10.1.x.x from sending an ip packet to any device with 172.16.5.x)

ip access 101 deny ip 10.1.2.3 0.0.255.255 172.16.5.1 0.0.0.255
        (this example would stop any computer that starts with 10.1.x.x from sending an ip packet to any device with 172.16.5.x)

 

Advertisements

About spuder
spuder is a "super computer" support engineer by day, and tinkerer / hobbyist by night.

One Response to Standard vs. Extended Access Lists (ACL)

  1. Michael says:

    “Show” commands are not used in router (config)# mode.
    “do show” would work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: