packet filtering, stateful, application gateway (proxy), address-translation, host-based, transparent, and hybrid firewalls.
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<300-399> DECnet access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
access-list 1 permit host 192.168.180.1
access-list 1 permit 192.168.180.1 0.0.0.0
access-list 100 permit ip host 192.168.180.1 host 192.168.180.2
access-list 100 permit tcp host 192.168.180.1 host 192.168.180.2 eq 80
R2(config-if)# ip access-group 100 in
ip access-list standard STANDAR-ACL
permit host 192.168.180.1
ip access-list extended EXTENDED-ACL
permit tcp host 192.168.180.1 host 192.168.180.2 established
The access-class extended ACL only supports the any keyword as the destination.
ip access-list extended PERMIT-ADMIN-LINE
permit tcp host 192.168.180.1 any eq 22 log
deny ip any any
line vty 0 4
access-class PERMIT-ADMIN-LINE in
If using Cisco IOS Release 12.3 and later, sequence numbers can be used to ensure that ACEs are added in the correct location. The ACL is processed top-down based on the sequence numbers of the ACEs (lowest to highest).
Router-generated packets, such as routing table updates, are not subject to outbound ACL statements on the source router. If the security policy requires filtering these types of packets, inbound ACLs on adjacent routers or other router filter mechanisms using ACLs must do the filtering task.
the no parameter followed by the ACE will result in deleting the entire ACL.
On standard access lists, the Cisco IOS will add new entries by descending order of the IP address, regardless of the sequence number. Therefore, the sequence number in a standard ACL is used as an identifier of a specific ACE for deletion purposes.
All entries, regardless of the order in which they were entered, were placed in order of descending IP address, from specific to general.
INBOUND = Pre-Routing
OUTBOUND = Post-Routing
packet debugging captures the packets that are process-switched, including received, generated, and forwarded packets.