Section 8.2: Extended IP Access Lists

Extended IP access lists are similar to standard IP access lists in that you enable extended access lists on interfaces for packets either entering or exiting the interface. IOS then searches the list sequentially. The first statement matched stops the search through the list and defines the action to be taken. The key difference between the extended IP access lists and standard IP access lists is the variety of fields in the packet that can be compared for matching by extended access lists. A single extended IP access list statement can examine multiple parts of the packet headers, requiring that all the parameters be matched correctly in order to match that one IP access list statement. That matching logic is what makes extended access lists both much more useful and much more complex than standard IP access lists. You can configure extended IP access list to match the IP protocol type, which identifies what header follows the IP header. You can specify all IP packets, or those with TCP headers, UDP headers, ICMP, etc, by checking the Protocol field. You can also check the source and destination IP addresses, as well as the TCP source and destination port numbers.

An extended access list is more complex than standard access lists. Therefore the configuration commands are more complex. The configuration command for extended access lists is:

  • access-list access-list-number action protocol source source-wildcard destination destination-wildcard [log | log-input], which can be used to enable access lists