Creating and editing Cisco Extended access lists

Extended ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc. Needless to say, it is very grangular and allows you to be very specific. If you intend to create a packet filtering firewall to protect your network it is an Extended ACL that you will need to create.

Here you have a few examples of how to interact with extended access lists:

To create a new extended acl:

router#conf t
router(config)#ip access-list extended 199
router(config)#10 permit tcp any any
router(config)#20 permit udp any any
router(config)#30 deny ip any any

Display the current rules:

router#show access-list 199
Extended IP access list 199
10 permit tcp any any
20 permit udp any any
30 deny ip any any

Add a new rule:

router#conf t
router(config)#ip access-list extended 199
router(config-ext-nacl)#21 permit gre any any
router(config-ext-nacl)#exit
router(config)#exit

router#show access-list 199
Extended IP access list 199
10 permit tcp any any
20 permit udp any any
21 permit gre any any
30 deny ip any any

Rearrange the rules numbering:

router#ip access-list resequence 199 10 10
router#show access-list 199
Extended IP access list 199
10 permit tcp any any
20 permit udp any any
30 permit gre any any
40 deny ip any any