Access-list (ACL) is a set of rules defined for controlling the network traffic and reducing network attack. ACLs are used to filter traffic based on the set of rules defined for the incoming or out going of the network.
Extended Access-list –
It is one of the types of Access-list which is mostly used as it can distinguish IP traffic therefore the whole traffic will not be permitted or denied like in standard access-list . These are the ACL which uses both source and destination IP address and also the port numbers to distinguish IP traffic. In these type of ACL, we can also mention which IP traffic should be allowed or denied . These use range 100-199 and 2000-2699.
- Extended access-list is generally applied close to the source but not always.
- In Extended access-list, packet filtering takes place on the basis of source IP address, destination IP address, Port numbers.
- In extended access-list, particular services will be permitted or denied .
- Extended ACL is created from 100 – 199 & extended range 2000 – 2699.
- If numbered with extended Access-list is used then remember rules can’t be deleted. If one of the rule is deleted then the whole access-list will be deleted.
- If named with extended Access-list is used then we have the flexibility to delete a rule from access-list.
Here is a small topology in which there are 3 departments namely sales, finance and marketing. Sales department having network 172.16.10.40/24, Finance department having network 172.16.50.0/24 and marketing department having network 172.16.60.0/24. Now, we want to deny FTP connection from sales department to finance department and deny telnet to Finance department from both sales and marketing department.
Standard Access-list –
These are the Access-list which are made using the source IP address only. These ACLs permit or deny the entire protocol suite. They don’t distinguish between the IP traffic such as TCP, UDP, Https etc. By using numbers 1-99 or 1300-1999, router will understand it as a standard ACL and the specified address as source IP address.
- Standard Access-list is generally applied close to destination (but not always).
- In standard access-list, whole network or sub-network is denied.
- Standard access-list uses the range 1-99 and extended range 1300-1999.
- Standard access-list is implemented using source IP address only.
- If numbered with standard Access-list is used then remember rules can’t be deleted. If one of the rule is deleted then the whole access-list will be deleted.
- If named with standard Access-list is used then you have the flexibility to delete a rule from access-list.