Chapter 7 taught you the very basics of standard access control lists and Chapter 8 is where you *really* learn about ACLs. The concepts are basically the same and the biggest issue with extended ACLs is remember the exact order of the parameters in the command. Here are my chapter 8 review notes:
Extended ACLs can look at more than the source address of a packet. (source address, destination address, source port, and destination port – as well as protocol type)
You can select TCP, UDP, or ICMP as the protocol type in an extended ACL. You can also use IP to select ALL IP packets.
When using a single address the host parameter is option in a standard ACL but not in an extended ACL. Always use host for both and there will be no issue.
When using TCP or UDP you can optionally use the port number as well.
Format of extended ACL:
access-list 101 permit protocol source_IP source_mask keyword source_port destination_IP destination_mask keyword destination_port
eq is equal to
ne is NOT equal to
lt is less than
gt is greater than
range allows range of ports
access-list 101 permit TCP 10.0.0.0 0.255.255.255 lt 2000 192.168.1.0 0.0.0.255 eq 80
would allow TCP traffic from 10.0.0.0/8 with a source port of less than 2000 to go to 192.168.1.0/24 on port 80
Some well known ports numbers can be replaced with available keywords. Example:
telnet = port 23
www = port 80
pop3 = port 110
snmp = port 161
Using names instead of number make it easier to identify the purpose of an ACL.
Named ACLs use the ACL subcommand instead of global commands for each item in the ACL.
To create a named ACL use:
Router(config#)ip access-list [standard | extended] MyNamedAccessList
You can also create a numbered ALC using the ip access-list command vs. the access-list command to allow more robust editing and line numbers.
When deleting an ACL, remove it from the interface first and then delete it.
The show-running-config always shows the old style of access lists.
To view the content of an IP access-list with line number use:
Router#show ip access-list 101
Place more specific statements earliest in the ACL.
Reflexive ACLs are essentially Stateful Packet Inspection (SPI) that most firewalls do my default.
Dynamic ACLs require a user to telnet to the router and authenticate before changing the ACL to accommodate the request.
Time-based ACLs add a time constraint to a normal ACL.