Configuring the two most common ACLs
While there are many ACL types, the most common ACLs used for filtering IP traffic are standard and extended. Each type has slightly different capabilities depending on what level of packet matching granularity you need. Let’s look at the capabilities of both ACL types and how to configure them.
The most basic of all IP ACLs is the standard ACL. These ACLs are designated by using the ACL number between 1 and 99 and 1300 to 1999. Besides numbering an ACL so it is designated as standard, admins will specify source IP networks, as well as whether the ACL should permit or deny those specified networks. Note that only the source network can be used to identify traffic to filter on.
As an example, let's say that we want to configure a standard IP ACL that will block (deny) traffic from 10.100.250.0/24, which is a network with a subnet mask of 255.255.255.0. We want to permit all other IP traffic. To do that, we can use an ACL number between 1 and 99 that is unused. We can then specify the deny and permit statements as follows:
Note that ACLs use what is known as a wildcard mask to specify the subnetwork. So instead of using a mask of 255.255.255.0 for the 10.100.250.0/24 network, the wildcard mask configured in the ACL entry should be 0.0.0.255. Also, make sure you understand that we must have the permit statement on the second line of the ACL. Because each line of the ACL is read top down, the deny statement will identify any packets coming from 10.100.250.0 /24. If the packet is coming from any other source, it will match the permit any statement, and be allowed through. If we did not have a permit statement, the implicit deny-any statement at the end of all ACLs would block all IP traffic
Extended ACLs are just like the standard ones with the exception that protocol and port information can be used and both the source and destination networks may be defined in the rules. Extended ACLs use designated numbers 100 through 199 and 2000 to 2699. Just like standard ACL's, the subnet mask uses wildcard masks when configuring the subnetwork. Extended ACLs can be configured to match an IP (which includes both TCP and UDP), TCP, UDP or any number of additional protocols as shown below.
In this example, we will create an extended ACL that will match traffic with a source IP of 10.100.250.0/24, headed to a specific host destination of 172.16.25.100/32 on TCP port 80. This traffic will be denied. A second rule will specify that all other traffic will be permitted.
As you can see, when we specify both the source and destination networks, the source IP network is entered first, followed by the destination IP network. The eq 80 in the first access control entry is a match rule specifying that the port equals (eq) TCP port 80 exactly. There are many other match options such as ranges of ports, greater than, less than and quality of service (QoS) markings, among others. Here are all the options available: