When network requirements extend beyond the capabilities of standard Access Control Lists, you may need to implement extended Access Control Lists to meet the needs of your network. Extended Access Control Lists are more robust and granular than standard Access Control Lists, which permits network administra-tors to implement more jurisdictions over a network.
Extended Access Control Lists provide added capability by offering filtering of both source and destination addresses. In addition, extended IP Access Control Lists provide precise control over any IP protocol based traffic. Although extended ACLs provide more extensive filtering, they are similar in operation to standard ACLs.
Figure 1.8Standard Access Control List Example
WAN
Router 1
Ethernet 0 Serial 1
Does packet have source address
of 127.56.25.x?
Yes Drop packet
No
Extended IP Access Control Lists support all of the network layer protocols (ARP, RARP, ICMP, etc.), which is made possible by specifying the protocol by either protocol number or a keyword when enabling the Access Control List.The protocol keywords are EIGRP, GRE, ICMP, IGMP, IGRP, IP, IPINIP, NOS, OSPF,TCP, OR UDP. Protocol numbers in the range 0 to 255 can also be used.
Within each protocol all applications supported are filterable.This is accom-plished by specifying the port number or application name. Port numbers range from 0 – 65535.Table 1.12 lists some common applications and their relative port numbers.
Table 1.12Common Protocols and Port Numbers
Protocol Port
FTP data port 20
FTP control port 21
Simple Network Management Protocol (SNMP) 161
Domain Name System (DNS) 53
Boot Protocol Server (BOOTPS) 67
Boot Protocol Client (BOOTPC) 68
Gopher 70
Post Office Protocol (POP3) 110
Network News Transport Protocol (NNTP) 119
Border Gateway Protocol (BGP) 179
Simple Mail Transport Protocol (SMTP) 25
Telnet 23
Trivial File Transport Protocol (SMTP) 69
World Wide WEB (WWW) 80
Extended Access Control Lists have a wide range of options available, which offers more control over specific types of network traffic.The following syntax is used when implementing extended ACLs.
access-list access-list-number [dynamic dynamic-name [timeout
minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence]
[tos tos] [log | log-input]
www.syngress.com
Extended Access Control Lists are extensively more complex than standard ACLs.Table 1.13 defines each portion of the extended Access Control List command.
Table 1.13Extended Access Control List Variable Definitions Keyword Description
access-list-number This number identifies the access list as an extended ACL to the router.
dynamic An actual name to use to identify the particular extended ACL.
timeout Defines how long a temporary access list is good for on the interface.
deny|permit Sets the condition that is applied to the access list.
protocol Name or number of an IP protocol. The following protocols are valid in this field: EIGRP, GRE, ICMP (Table 1.12), IGMP, IGRP, IP, IpinIP, NOS, OSPF, TCP (Table 1.13 and Table 1.14), and UDP(Table 1.15).
source Network or host address from which the packet is being sent.
source-wildcard Wildcard value to be applied to the source address.
destination Network or host address of where the packet is destined.
destination-wildcard Wildcard value to be applied to the destination address.
precedence Specifies a packet’s precedence level by name or a number between 1 and 7.
tos Specifies the type of service by either name or a number between 1 and 15.
log|log –input Causes a logging message to be created and sent to the console.
When using the keyword ICMP in conjunction with the Access Control List, the following options become available.
Table 1.14ICMP Options in Extended Access Control Lists
Keyword Description
<0-255> ICMP message type
administratively-prohibited Administratively prohibited alternate-address Alternate address
conversion-error Datagram conversion dod-host-prohibited Host prohibited dod-net-prohibited Net prohibited
Echo Ping
echo-reply Ping reply
General-parameter-problem Parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-unreachable Host unreachable for type of service host-tos-redirect Host redirect for type of service
host-unknown Host is unknown
host-unreachable Host is unreachable information-reply Information replies information-request Information requests
Log Log entries
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirect
net-redirect Network redirect
net-tos-redirect Net redirect for type of service net-tos-unreachable Network unreachable for type of
service
net-unreachable Net unreachable
Network-unknown Network is unknown
no-room-for-option Parameter is required but there is no room
option-missing Parameter is required but missing packet-too-big Fragmentation required and DF set
www.syngress.com
Continued
parameter-problem Parameter problem port-unreachable Port is unreachable
Precedence Match packets with this precedence value
precedence-unreachable Precedence cutoff protocol-unreachable Protocol is unreachable reassembly-timeout Reassembly timeout
Redirect Redirect
router-advertisement Router advertisement router-solicitation Router solicitation
source-quench Source quenches
source-route-failed Source route has failed
time-exceeded Time has been exceeded
timestamp-reply Timestamp reply
timestamp-request Timestamp request
Tos Type of service value match
traceroute Traceroute
ttl-exceeded Time-to-live has exceeded
unreachable Unreachable
When using the keyword TCP, the following options become available.
Table 1.15 TCP Options in Extended Access Control Lists Keyword Description
Eq Match packets by port
established Match established connections
Gt Match packets with a greater port number
Log Log matches
Lt Match packets with a lower port number neq Match packets not on a given port number precedence Match packets with a specific precedence Table 1.14Continued
Keyword Description
Continued
Range Match packets within a range
Tos Match packets with a specific type of service
<cr> Carriage return
After creating the extended Access Control List, you must apply it to an interface.This procedure is identical to the way you would implement a standard Access Control List to an interface.The following is the syntax for applying an extended Access Control List, as well as a standard Access Control List, to an interface. If you forget to specify whether the list is applied on the inbound or the outbound of the interface, the router will default to outbound “out.”
ip access-group {access-list-number | name}{in | out}