Standard vs Extended Access list? Whats the difference?

JoloNationJoloNation Posts: 7Member ■□□□□□□□□□
Hi guys.

i just wanna clarify things up. the way i understand the 2 access list is like this.. Ready?

correct me if im wrong. i really appreciate the criticism and help.

standard access-list - you can permit the IP address but you cant control the destination.
extended access list- you can permit/block the IP at the same time you can control the the destination of the source.

if you can give me an example. much better! thank you and God Bless guys!
More Power. :)

Comments

  • DevilWAHDevilWAH Posts: 2,997Member ■■■■■■■■□□
    JoloNation wrote: »
    Hi guys.

    i just wanna clarify things up. the way i understand the 2 access list is like this.. Ready?

    correct me if im wrong. i really appreciate the criticism and help.

    standard access-list - you can permit the IP address but you cant control the destination.
    extended access list- you can permit/block the IP at the same time you can control the the destination of the source.

    if you can give me an example. much better! thank you and God Bless guys!
    More Power. :)


    With standard you are right its pretty much you are controlling based on source source.

    Extended you can do more though that just source and destination. you can also control based on UDP/TCP port numbers as well as a number of other values.

    Standard IP access list 1
    10 permit 149.1.25.36
    20 permit 149.1.25.37

    so this will only permit traffic from the two IP address (remember there is default deny all at the end of an access list ). but standard access lists are always just "line number -- permit/deny -- source IP address -- [log]"


    Extended IP access list Lync-Video
    10 deny ip host 149.1.63.45 any
    20 deny ip any host 149.45.21.5
    30 permit udp any range 20040 20079 any range 20040 20079
    40 permit tcp any range 20040 20079 any range 20040 20079

    this will deny ip traffic from host 149.1.63.45 to anything else
    and deny traffic to ip address 149.45.21.5 from any where

    it will also permit any host to talk talk to any host over the stated UDP and TCP ports, again every thing else is denied by the default deny statement.

    So extended is exactly what it says, taking the basic idea of an access list they are structured identically, but giving more granular control on the data you are premiting / denying

    format is

    "[seq number] -- permit/deny -- protocol - source - destination -- [port] - [log] there are more choices than this but this is a good basic syntax to remember )
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • DevilWAHDevilWAH Posts: 2,997Member ■■■■■■■■□□
    Oh and also look at using IP access lists where you can.

    While the syntax and structure is pretty much identical, the big difference is the ability to number the lines and insert and remove with out recreating the whole list each time. Very good when working with large lists. you can also use names on IP access lists (as you can see in my last post that makes it easier to follow what each one is for.

    (note in later versions of IOS on cisco at least you can treat standard access lists like IP access lists and they are completely interchangeable so you can add and subtract statements on the fly.)

    entering the commands

    #ip access-list extended Lync-Video
    #10 permit ip any any log
    #20 deny udp 12.15.36.45 any
    #no 10
    #10 permit ip 14.26.35.15 8.8.8.8
    #15 permit udp 12.15.36.45 eq 53 log

    would result in an access list of

    10 permit ip 14.26.35.15 8.8.8.8
    15 permit udp 12.15.36.45 eq 53 log
    20 deny udp 12.15.36.45 any
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.