An extended acl is an acl that allows you to specify a source and destination address as well as protocol and other information. A crypto acl is not a classification in terms of standard or extended acl. A crypto acl is a use case for an extended acl in which we specify the source and destination address to be encrypted. So I can create and acl as follows.
ip access-list extended crypto
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
That is an IOS syntax of an extended acl with the name of "crypto". That is not necessarily a crypto acl. However if I apply that extended ACL to a crypto map, then it becomes a crypto acl. It is how it is used that makes it a crypto acl.
What is the difference between crypto acl and acl and We are using the same syntax.
The answer is where we use the ACL, and that determines the name.
Let's create ACL 101 that permits IP traffic from the 10.0.0.0/8 network to 172.16.0.0/16 network, and permits nothing else.
If we apply ACL 101 to an interface for filtering, that is exactly what it is, a filter that will only allow that traffic through the interface it is applied to, based on the traffic matching the permit in the ACL.
If we apply the same ACL as part of our crypto-map in IPSec, then that same ACL 101 is now called a crypto acl. The purpose of the ACL in this case is to identify what traffic should be encrypted, specifically any traffic from 10.0.0.0/8 to 172.16.0.0/16 (in our example).
Great question, and best wishes,
I think Paul and Keith already provided a very good explanation!
If you type "ip access-list extended crypto" it would just make a normal extended ACL named crypto. So to edit it you would edit it just like you edit a normal extended ACL.
You don't have to create the ACL using numbers as keith tried to explain. You just use this ACL to "define interesting traffic" that will be encrypted. You can use a numbered list or a named extended list.
To match this "ACL" to a crypto map you'd have to do a few configuration steps first, but in the crptyp map configuration you define which ACL to match addresses with the command: match address crypto
Or if it's a numbered acl with the command: match address 101
....it's just used to define like paul and kieth explained, interesting traffic to be encrypted. A permit statement that matches will be sent encrypted, all other traffic will be sent unencrypted.
Nothing more, nothing less .