9 Replies Latest reply: Jun 9, 2010 6:19 AM by Prajit G Nair RSS

    Standard access list and Extended access list?

    Prajit G Nair

      Can anyone tell me when do we use Standard access list and when do we use Extended access list?

        • 1. Re: Standard access list and Extended access list?
          Angela

          There are 2 general differences between the two:

           

          - Standard ACL specify only the source, implying traffic for all destination while you can specify traffic from one source to one destination for extended ACL. e.g standard ACL allow you to deny traffic for 192.168.1.20, which completely block the user from any type of traffic. Basically, that user doesn't own a NOS right now, s/he owns a simple computer that can't talk to anyone. Extended ACL allow you to specify conversation between, e.g Bill and Jill, but no preventing Bill from talking to anyone else.

           

          - Another significant difference is that standard ACL denies/permits all traffic whereas extended ACL selectively deny/permit some or all traffic depending on your preference. A standard ACL denial means all types of traffic is blocked, data, video, or music. On the other hand, an extended ACL can deny only video and music but allow data. This is how the company get its employees to work. NO ENTERTAINMENT allowed.

           

           

          Regards

          • 2. Re: Standard access list and Extended access list?
            Mike DeYoung

            Hi Prajit,

             

            Maybe this will be helful...

             

            Standard                                 Extended
            Match Source (entire protocol)  Match Source & Destination (individual port)
            # 1-99, 1300-1999                    #100-199, 2000-2699
            Place close to dest                 Place close to source

             

            ACL’s are used for traffic classification and well as traffic filtering. For example, you would use a standard ACL for classifying traffic for NAT processes (or VPN or QoS). Generally you would use a extended ACL for traffic filtering.

             

            -Mike DeYoung

            • 3. Re: Standard access list and Extended access list?
              Prajit G Nair

              Thanks angela for your reply. But i have been trying to block one of the ip i.e a pc from different network, with the help of standard access list from communicating with the other pc in different network and it seems like I am not able to block that pc when i use its ip address as deny. Instead when i try to deny the network id ogf that pc, im getting the desired result; but the whole network won't communicate with that pc! Does that mean with sandard, you can only block network and not a particular ip add? And for particluar ip add to block, you have to use extended access list instead of standard?

               

              And can you  give me one example when will we use "out" inside the interface in standard access list?

               

              I hope you are getting my point! if not i will detail it more.

               

              Regards,

              Prajit.Nair.

              • 4. Re: Standard access list and Extended access list?
                rosscourtnell

                Hi Prajit


                Put simply....


                A standard ACL can permit or deny trafiic based only on the source address(s).


                An extended ACL can permit or deny traffic based on both the source and destination address(s) as well as tcp/udp/icmp trafic types.


                HTH


                Ross

                • 5. Re: Standard access list and Extended access list?
                  rosscourtnell

                  Prajit

                   

                  It sounds like you have blocked all traffic from that PC which indicates to me that you may have not put a permit statement in your access list to allow other traffic to the PC. Dont forget there is an implicit deny any at the end of every ACL so if you only have deny statements in your ACL then no traffic will pass.

                   

                  Ross

                  • 6. Re: Standard access list and Extended access list?
                    Prajit G Nair

                    It seems like im getting confused now in source and destination part. Can you even explain about that in both cases, standard and extended?

                    • 7. Re: Standard access list and Extended access list?
                      rosscourtnell

                      The source is where the traffic is coming from and the destination is where the traffic is going to.

                       

                      The attached simple diagram may help.

                       

                      EXAMPLE.JPG

                      • 8. Re: Standard access list and Extended access list?
                        Prajit G Nair

                        I did give the command permit any after the deny command...i will post the lab here..

                        heres is the scenario:

                        I want that only pc3 which is in router 1 side, not to communicate with 192.168.10.0 whole network i.e. pc's connected to router 0's switch. i want others to communicate succesfully.

                        so i gave the command in router 0:

                         

                        Router(config)#access-list 10 deny host 192.168.30.2

                        Router(config)#access-list 10 permit any

                        Router(config)#int f0/0

                        Router(config-if)#ip access-group 10 in
                        Router(config-if)#exit

                         

                        but pc 3 is still communicating..why?

                        • 9. Re: Standard access list and Extended access list?
                          Prajit G Nair

                          "Ok! I figured the answer myself. After a long time of experimenting it, I finally figured out what is exactly standard access list and how it can be and why it's used! Thanks Angela, Mike DeYoung and Ross.

                           

                          I applied the standard list on the source and I got the answer. Now i know how to use it.

                           

                          Thanks again.

                           

                          Regards,

                          Prajit Nair.