ACLs can block or allow traffic, in or out, based on protocol, mask , ip source and destination.
Basic facts: (See Computer Networking Notes website , an excellent source of information on cert level technologies), for more.
- ACLs come in two varieties:Numbered and named
- Each of these references to ACLs supports two types of filtering: standard and extended.
- Standard IP ACLs can filter only on the source IP address inside a packet.
- Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet.
- There are two actions an ACL can take: permit or deny.
Extended ACL syntax:
Access-list <number 100-199> <permit | deny> <protocol> <source> < sourcemask>
<operator source port> < destination> <destination-mask> < operator
destination port> <options> < log>
Useful notes:
- Protocol: IP, TCP, UDP, ICMP, GRE and IGRP. TCP,
UDP and ICMP - Source ip address, or could be any
- Wildcard mask is inverse mask: 0 = care, 255=don’t care. See incredibly useful easy to remember subnetting table for more on this.
- operator source port and operator destination port: lt, gt, eq, neq (less than, greater than, equal, not equal) and a port number
More from this incredibly useful site: Sans.org http://www.sans.org/reading-room/whitepapers/networkdevs/easy-steps-cisco-extended-access-list-231