ACL Standard, Extended and Named difference

SOURCE:
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#standacl
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

Standard ACL
A standard ACL provides the ability to match traffic based on the source address of the traffic only. This is, of course, rather limiting, but in many situations is all that is required.
-Standard number: 1–99 and 1300–1999
-Example
#router(config)#access-list access-list-number {permit | deny} {source [source-wildcard] | host hostname | any}
or
#router(config)#ip access-list standard {access-list-name}
#router(config-std-nacl)# [sequence-number] {permit | deny} {source [source-wildcard] |host hostname | any}
Example:
192.168.1.0/24 —F0/0 RTR F0/1 —172.16.1.0/24
In this example, the router needs to be configured with an access list that will block the traffic that comes in the f0/0 interface from the 192.168.1.0/24 network. The access list itself is the first thing that is configured; in this example the access list number 10 will be used.
#router(config)#access-list 10 deny 192.168.1.0 0.0.0.255
The second step is to apply the access list on the correct interface; as the access list being configured is standard access list, it is best for it to be applied as close to the destination as possible.
#router(config)#interface f0/1
#router(config-if)#ip access-group 1 out

Extended ACL
Unlike a standard ACL, the extended ACL provides much more flexibility in matching traffic as it provides the ability to match based on protocol, source and destination address as well as several other features like matching based on an established connection.
Extended number: 100–199 and 2000–2699
Example:
interface ethernet0/0
ip access-group 101 in
!permit ports
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 21
!permit dns
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any eq domain any
!permit routing updates
access-list 101 permit udp any any eq rip
access-list 101 permit eigrp any any
access-list 101 permit ospf any any
!permit bgp
access-list 101 permit tcp any any eq 179
access-list 101 permit tcp any eq 179 any

Named ACL
Access-lists are identified using Names rather than Numbers
Names are Case-Sensitive
No limitation of Numbers
Advantage is editing of ACL is possible. i.e removing a specific statement from the ACL is possible
Supported on IOS ver 11.2 or later

Lab example here. We will create a named acl that
-only allow http access from 13.0.0.0 subnet into 34.0.0.2 server
-only allow https access from 23.0.0.0 subnet into 34.0.0.2 server

Image.png

SVR1:
hostname SVR1
interface Ethernet0/0
ip address 34.0.0.2 255.255.255.0
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 34.0.0.1

SW1:
hostname SW1
interface Ethernet0/0
ip address 34.0.0.1 255.255.255.0
ip access-group WEB out
interface Ethernet0/2
ip address 13.0.0.1 255.255.255.0
interface Ethernet0/3
ip address 23.0.0.1 255.255.255.0
ip access-list extended WEB
permit tcp 23.0.0.0 0.0.0.255 host 34.0.0.2 eq 443
permit tcp 13.0.0.0 0.0.0.255 host 34.0.0.2 eq www
permit icmp any any echo
permit icmp any any echo-reply
deny tcp any any

PC1:
hostname PC1
interface Ethernet0/0
ip address 13.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 13.0.0.1

PC2:
hostname PC2
interface Ethernet0/0
ip address 23.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 23.0.0.1

Verification
PC1:
PC1#telnet 34.0.0.2 80
Trying 34.0.0.2, 80 … Open
PC1#telnet 34.0.0.2 443
Trying 34.0.0.2, 443 …
% Destination unreachable; gateway or host down

PC2:
PC2#telnet 34.0.0.2 443
Trying 34.0.0.2, 443 … Open
PC2#telnet 34.0.0.2 80
Trying 34.0.0.2, 80 …
% Destination unreachable; gateway or host down

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s