The standard version filters IP packets based on the source only, while the extended IP ACLs filter packets based on more attributes such as destination/ source IP, protocol type, source/destination TCP/UDP ports as well as ICMP, IGMP message types.
There are specific syntaxes for creating an access list in a router for the standard, extended formats. In the lists can also be numbered or named as well as the option of leaving a comment on it for purposes of easier editing and viewing.
I.E. standard numbered ACL format - access-list access-list-number {deny | permit} source [source-wildcard]
extended named ACL format - ip access-list extended access-list-name
remark syntax - remark user-input
Access lists are also able to perform directional filtering depending on how they are configured. The two directions are inbound and outbound; for data that flows into the router interface and data that flows away from the router interface.
The syntax for configuring the direction in ACLs would be the adding of an in or out word at the end of an ACL.
i.e. - access-list access-list-number {deny | permit} source [source-wildcard] { in | out }
Defining inbound or outbound traffic looks like it is some common sense thing but, it is quite confusing to apply. Also, configuring ACL for router is not ideal because a router a firewall can do a better job. The main reason for using ACL on router would be those small companies who can't afford a firewall.
ReplyDeleteHi bingjie, i have read your post on Access Control Lists. I can fully understand the content of your post so i think its very well-written and its clear enough. I also learned how to use the different ACLs ( standard & extended ) after your post gave the syntax command for it.
ReplyDelete