24 Extended access control lists

This chapter covers

  • The various parameters extended access control lists use to match packets
  • Configuring extended numbered and named ACLs
  • Editing ACLs by deleting and resequencing ACEs

In the previous chapter, we covered standard ACLs, which filter packets based on a single parameter: the source IP address. Although standard ACLs have their uses, they are a blunt instrument; they don’t provide precise control over exactly which kinds of traffic are permitted and denied. Extended ACLs, the topic of this chapter, are a more precise tool: they allow you to filter packets based on many more parameters, providing more granular control over traffic.

Although extended ACLs can be more complex than standard ACLs, the good news is that the fundamentals of how ACLs work, as we covered in the previous chapter, remain the same. Like standard ACLs, the access control entries (ACEs) of an extended ACL are processed in order from top to bottom. Extended ACLs include an implicit deny that discards all traffic that isn’t matched by an explicitly configured ACE. Extended ACLs also need to be applied to an interface in the inbound and/or outbound directions to take effect.

24.1 Configuring extended ACLs

24.1.1 Matching protocol, source, and destination

24.1.2 Matching TCP/UDP port numbers

24.2 Example security requirements

24.3 Editing ACLs

24.3.1 Deleting ACEs

24.3.2 Resequencing ACEs

Summary