Extended Access Control Lists, syntax of access-list IOS command to create an Extended Access Control List (ACL)
Standard Access Control Lists can filter the IP traffic ONLY based on the source IP address in an IP datagram packet.
Extended Access Control Lists can filter the traffic based on many other factors.
• Source and destination IP addresses.
• Protocols like IP, TCP, UDP, ICMP etc.
• Protocol information Port numbers for TCP and UDP, or message types for ICMP.
Extended Access Control Lists can be created by using the "access-lists" IOS command. The syntax of "access list" IOS command to create a Extended Access Control List is shown below.
Router(config)# access-list [Access_list_number] permit|deny
IP_protocol
source_address source_wildcard_mask
[source_protocol_information]
destination_address destination_wildcard_mask
[destination_protocol_information] [log]
Access_list_number: For Extended Access Control List, Access list number must be between 100–199 or 2000–2699.
permit | deny: Whether to permit or deny traffic.
IP_protocol: IP protocol to match. The IP protocols can be IP, ICMP, TCP, GRE, UDP, IGRP, EIGRP, IGMP, IPINIP, NOS, and OSPF.
source_address: Source IP address.
source_wildcard_mask: Source wildcard mask. Click the following link to learn more about Access Control List - Wildcard masks.
source_protocol_information: Additional source protocol information like TCP or UDP Port numbers
destination_address: Destination IP address.
destination_wildcard_mask: Destination wildcard mask. Click the following link to learn more about Access Control List - Wildcard masks.
destination_protocol_information: Additional destination protocol information like TCP or UDP Port numbers.
log: Specifies whether logging is required either to console or to a syslog server.
wildcard mask: Instead of specifying a single IP address, you can also permit or deny networks/subnets entirely or partly by using wildcard masks, also known as inverse masks. Wildcard masks is optional in above IOS command.