Cisco Systems CCNA 2 manual Extended ACLs, Rt1config#access-list 101 ?

11.2.2 Extended ACLs

Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses and also check for protocols and port numbers. This provides greater flexibility to define what the ACL will filter. Packets can be permitted or denied access based on where the packet originated and its destination or protocol types and port addresses. For a single ACL, multiple statements may be configured. The syntax for the extended ACL statement can get very long and will often wrap in the terminal window. The wildcards also have the option of using the host or any keywords in the command.

The extended ACL uses the source and destination address. Ask students what ports are used for FTP, Telnet, SMTP, HTTP, and DNS. The students need to have these ports memorized. The first part of the IP extended ACL is the same as the IP standard ACL. The number is within the range of 100 to 199.

rt1(config)#access-list 101 ?

The permit or deny is the same as the standard.

rt1(config)#access-list 101 permit ?

<0-255> An IP protocol number

In an extended ACL, the protocol is listed after the permit or deny statement. Then enter the source address with the wildcard mask and destination address with the wildcard mask.

rt1(config)#access-list 101 permit tcp 172.16.0.1 0.0.0.0 192.168.0.0 0.0.255.255 ?

log-input Log matches against this entry, including input interface

lt neq