Extended access lists
I mentioned in Chapter 1 that one policy tool network administrators have at their disposal is control over the type of packets that flow through a router. We looked at examples where it was necessary to restrict the kinds of packets passing through a router to specific protocols such as HTTP (web) or SSL packets. To implement this, we need to build a policy set that includes a variety of different kinds of IP packets. We can’t do this with standard access lists because they deal with only IP addresses, sets of IP addresses, or network numbers, and not with the nature of the packets themselves. Although we saw how to use standard access lists to do packet filtering in the last example, there too we could only specify the hosts that are allowed to send IP traffic through a specific interface. There was no way to narrow down the kind of packets in a policy set to specific protocols such as TCP or UDP, specific protocol port numbers, or specific relationships between sets of IP addresses. Standard access lists allow all or nothing. To do packet filtering at a finer level of granularity, we need a way to extend the standard access list to include things like protocol, port number, and destination IP addresses .