There are 2 general differences between the two:
- Standard ACL specify only the source, implying traffic for all destination while you can specify traffic from one source to one destination for extended ACL. e.g standard ACL allow you to deny traffic for 192.168.1.20, which completely block the user from any type of traffic. Basically, that user doesn't own a NOS right now, s/he owns a simple computer that can't talk to anyone. Extended ACL allow you to specify conversation between, e.g Bill and Jill, but no preventing Bill from talking to anyone else.
- Another significant difference is that standard ACL denies/permits all traffic whereas extended ACL selectively deny/permit some or all traffic depending on your preference. A standard ACL denial means all types of traffic is blocked, data, video, or music. On the other hand, an extended ACL can deny only video and music but allow data. This is how the company get its employees to work. NO ENTERTAINMENT allowed.
Maybe this will be helful...
Match Source (entire protocol) Match Source & Destination (individual port)
# 1-99, 1300-1999 #100-199, 2000-2699
Place close to dest Place close to source
ACL’s are used for traffic classification and well as traffic filtering. For example, you would use a standard ACL for classifying traffic for NAT processes (or VPN or QoS). Generally you would use a extended ACL for traffic filtering.
Thanks angela for your reply. But i have been trying to block one of the ip i.e a pc from different network, with the help of standard access list from communicating with the other pc in different network and it seems like I am not able to block that pc when i use its ip address as deny. Instead when i try to deny the network id ogf that pc, im getting the desired result; but the whole network won't communicate with that pc! Does that mean with sandard, you can only block network and not a particular ip add? And for particluar ip add to block, you have to use extended access list instead of standard?
And can you give me one example when will we use "out" inside the interface in standard access list?
I hope you are getting my point! if not i will detail it more.
It sounds like you have blocked all traffic from that PC which indicates to me that you may have not put a permit statement in your access list to allow other traffic to the PC. Dont forget there is an implicit deny any at the end of every ACL so if you only have deny statements in your ACL then no traffic will pass.
I did give the command permit any after the deny command...i will post the lab here..
heres is the scenario:
I want that only pc3 which is in router 1 side, not to communicate with 192.168.10.0 whole network i.e. pc's connected to router 0's switch. i want others to communicate succesfully.
so i gave the command in router 0:
Router(config)#access-list 10 deny host 192.168.30.2
Router(config)#access-list 10 permit any
Router(config-if)#ip access-group 10 in
but pc 3 is still communicating..why?
topology.bmp 2.3 MB
"Ok! I figured the answer myself. After a long time of experimenting it, I finally figured out what is exactly standard access list and how it can be and why it's used! Thanks Angela, Mike DeYoung and Ross.
I applied the standard list on the source and I got the answer. Now i know how to use it.