Extended ACLs Different Application
Extended ACLs allow the router to analyse source/destination IP addresses and source/destination ports and Protocol type (such as ip, tcp and icmp). We can defined the traffic flow by this five factors. This poster focus on different application of extended ACLs.
1. Commonly Used
The following is commonly used statement for TCP access-list
ip access-list {extended|standard} name
permit|deny tcp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]] [established]
[precedence precedence] [tos tos] [log] [time-range time-range-name]
2. For Distribute-List
When extended access-lists called as a distribute-list in IGP, the “source” field in the ACL matches the update source of the route, and the “destination field represents the network address. For example,
access-list 101 deny ip host 192.168.50.4 host 10.2.106.0
The configuration is basically meaning that, deny 10.2.106.0 network which is advertised from 192.168.50.4 route.
3. For Redistribution
When extended access-lists called as a redistribution or as in BGP, the “source” field in the ACL represents the network address, and the “destination” field represents the subnet mask. For example,
ip access-list extended RIP-IN
permit ip 192.168.0.0 0.0.255.255 host 255.255.255.0
!
route-map RIP->OSPF
match ip address RIP-IN
!
router ospf 1
redistribute rip subnets route-map RIP->OSPF
The configuration is meaning that, when redistribute RIP into OSPF, only allow “192.168.0.0 network which has 255.255.255.0 subnet mask” in.
Another simple case is like this: Allow only 10.0.0.0 from host 1.2.3.4
- prefix gateway
ip prefix ROUTE permit 10.0.0.0/8
ip prefix SOURCE permit 1.2.3.4/32
distribute-list prefix ROUTE gateway SOURCE in
- Exteded access-list
access-list 101 permit ip host 1.2.3.4 host 10.0.0.0
distribute-list 101 in
