The two types of Cisco IPv4 ACLs are standard and extended.
Note: Cisco IPv6 ACLs are similar to IPv4 extended ACLs and are discussed in a later section.
Standard ACLs
Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses. The destination of the packet and the ports involved are not evaluated. The example in Figure 1 allows all traffic from the 192.168.30.0/24 network. Because of the implied "deny any" at the end, all other traffic is blocked with this ACL. Standard ACLs are created in global configuration mode.
Extended ACLs
Extended ACLs filter IPv4 packets based on several attributes:
- Protocol type
- Source IPv4 address
- Destination IPv4 address
- Source TCP or UDP ports
- Destination TCP or UDP ports
- Optional protocol type information for finer control
In Figure 2, ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any IPv4 network if the destination host port is 80 (HTTP). Extended ACLs are created in global configuration mode.
The commands for ACLs are explained in the next few topics.
Note: Standard and extended ACLs are discussed in more detail later in this chapter.