What command would you use to apply the access list you created in Question 1 to an Ethernet interface outbound?

Keywords permit or deny

A keyword permit or deny specifies to the router the action to be performed. For example, the keyword permit would allow the packet to exit or enter the interface, depending on whether you specify the filtering to be performed in or out. Again, this option provides the same function as in our standard access list. The last line of our extended access list example could have read as follows:

access-list 141 permit ip any any

Protocol

You have the option of filtering several different protocols using the extended access list. The protocol field in the IP header is an 8-bit number that defines what protocol is used inside the IP packet. TCP and UDP are only two of the possible protocols that can be filtered on, although they are most common. Other protocols, such as ICMP and EIGRP, have their own protocol numbers because they are not encapsulated inside TCP or UDP. If we use a question mark when defining an access list, we can see the protocol numbers that have been defined by name inside the router.

Router (config)#access-list 191 permit?

<0-255> An IP protocol number

ahp Authentication Header Protocol

eigrp Cisco's EIGRP routing protocol

esp Encapsulation Security Payload

gre Cisco's GRE tunneling

icmp Internet Control Message Protocol

igmp Internet Gateway Message Protocol

igrp Cisco's IGRP routing protocol

ip Any Internet Protocol

ipinip IP in IP tunneling

nos KA9Q NOS compatible IP over IP tunneling

ospf OSPF routing protocol

pcp Payload Compression Protocol

pim Protocol Independent Multicast

tcp Transmission Control Protocol

udp User Datagram Protocol

Protocols not on the preceding list may also be filtered with extended access lists, but they must be referenced by their protocol number. A full list of assigned IP protocol numbers can be found at www.iana.org/assignments/protocol-numbers.

It is important to remember that the IP keyword in the protocol field matches all protocol numbers.You must use a systematic approach here when designing your access list. For example, if your first line in the access list permits IP for a specific address, and the second line denies UDP for the same address, the second statement would have no effect. The first line would permit IP, including all the above layers. An option here may be to reverse the order of the statements. With the statements reversed, UDP would be denied from that address and all other protocols would be permitted.

Source Address and Wildcard-mask

The source address and source wildcard-mask perform the same function here as in a standard IP access list. So, in the preceding example we could have used the wildcard mask instead of the host and any keywords. The access list would then look as follows:

access-list 141 permit ip 172.16.130.88 0.0.0.0 i0.0.0.0 0.255.255.255

access-list 141 permit ip 172.16.130.89 0.0.0.0 i0.0.0.0 0.255.255.255

access-list 141 permit ip 172.16.130.90 0.0.0.0 i0.0.0.0 0.255.255.255

access-list 141 permit ip 172.16.130.0 0.0.0.255 192.168.10.118 0.0.0.0

access-list 141 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

In the first three lines, we are permitting or allowing packets from individual hosts on subnet 172.16.130.0 to any host on network 10.0.0.0. In line 4, we are permitting packets with the source address that belongs to subnet 172.16.130.0 to the destination of host 192.168.10.118. Line 5 tells us that we are permitting all packets regardless of the source or destination address. Remember that standard IP access lists have a default mask of 0.0.0.0. This does not apply to extended access lists so we must specify one.

Destination Address and Wildcard-mask

The destination address and wildcard-mask have the same effect and structure as the source address and wildcard-mask. So, here the keywords host and any are also available. You can utilize these keywords to specify any destination address as well as a specific destination without using the wildcard mask. Remember that extended access lists try a match on both source and destination. A common mistake here is trying to build an extended access list with the idea of only filtering the source address, and forgetting to specify the destination address.

Source and Destination Port Number

Many times, we don’t want to deny all access to a particular server. When you put a Web server out on the Internet, you want everyone to be able to access it on port 80 (WWW), but you don’t want to allow access to any other ports, because it gives hackers the opportunity to exploit other services you may not be aware of (although you should know of them in the first place). Restricting access to this level of detail is another benefit of extended ACLs. We have the option of specifying a source and destination port number in the access list. Let’s look at a simple example:

Router(config)# interface Serial 0

Router(config-if)# ip access-group 111 in

Router(config)#access-list 111 permit tcp any host 172.17.11.19 eq 25

Router(config)#access-list 111 permit tcp any host 172.17.11.19 eq 23

In line 1, we are permitting TCP packets from any source to the destination of host 172.22.11.19 if the destination port is 25 (SMTP). In line 2, we are permitting TCP packets from any source to the destination of host 172.22.11.19 if the destination port is 23 (Telnet). The implicit deny statement at the end of this access list will prevent all other traffic from making it into our network.