472
Chapter 9
Managing Traffic with Access Lists
Extended IP Access Lists
In the standard IP access list example, notice how you had to block the whole
subnet from getting to the finance department. What if you wanted them to
gain access to only a certain server on the Finance LAN, but not to other
network services, for obvious security reasons? With a standard IP access
list, you can't allow users to get to one network service and not another.
However, an extended IP access list allows you to do this. Extended IP access
lists allow you to choose your IP source and destination address as well as the
protocol and port number, which identify the upper-layer protocol or
application. By using extended IP access lists, you can effectively allow users
access to a physical LAN and stop them from using certain services.
Here is an example of an extended IP access list. The first command shows
the access-list numbers available. You'll use the extended access list range
from 100 to 199.
RouterA(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<200-299> Protocol type-code access list
<300-399> DECnet access list
<400-499> XNS standard access list
<500-599> XNS extended access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
At this point, you need to decide what type of list entry you are making.
For this example, you'll choose a deny list entry.
RouterA(config)#access-list 110 ?
deny Specify packet
By putting the access-class command on the VTY lines, only packets trying
to telnet into the router will be looked at and compared. This provides a
nice, easy-to-configure security for your router.
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com