Standard and Extended ACLs?

Similar Messages

• WAAS: Standard vs Extended ACL's for WCCP Transparent Redirection

  I've come across a number of implementations where the ACL's associated with services 61 & 62 are using extended access-list. I am writing with specific reference to wccp configured in promiscuous mode.
  Since WCCP will only redirect TCP, and the WAAS solution in general applies only to TCP - then is there really a need for extended acls for redirection?. Furthermore, in a simple implementation you do not need separate acls linked to 61 & 62 - i don't think so.
  Standard acls parse the filteration process more quickly than extended.
  thanks
  Ajaz

  The extended access-lists are used because some TCP traffic does not to be optimized (telnet, BGP, SNMP, ...), or some hosts have compressed traffic for any application and need to be excluded from redirection. Besides that standard access-lists can be used.

• CAN: Standard and Extended Frames/Wake up nodes

  Hello, my name is Gerardo Palmeri . I need ask you questions about CAN BUS and USB-8473.
  I´m programming an application in wich I´ll abble to meassure Voltages, currents and CAN BUS codes from a NODE into Steering Wheel of Truck.
  The NODE is "sleeping" and i need wake up it. At the moment I can´t do it.
  The system use Extended frames (29 bits) and I made the next Net Topology to find out the problem:
  Node A (CAN 1): USB-8473 write msg in the net.
  Node B (CAN 0): USB-8473 listen the bus activity.
  Node C (ID: C012171): Node into the steering wheel. (Target) Note that C012171 is an extended address (frame)
  I use 2 tools to manage the bus activity:
  transmit: I use CAN_Transmit.vi (from examples library) to send messages
  Receive: NI CAN BusMonitor from "Measurement and automation explorer" to read messages from de bus.
  When I write a message to ID: C012171, NI CAN BusMonitor listen it and show me correctly the data but the ID =171 (with out C012, the system ignore the most significant part of the ID). NI CAN BUS Monitor indicates are receiving Standard Frames.
  1. Do Someone know why the ID is truncated?
  2. Could have a mistake in the Extended Comparator and Extended mask selected? I defined 0 for both.
  Thanks for your atention!!!! I´ll expect for your answer.

  Hi!! Yes, you´re rigth!!...i just wired the CAN ID to a pin of an OR instruction and in the other pin I conected x20000000. This means that the 29th bit is one and the write can instruction is able to write data to devices with extended Frames.
  Thanks for your help and keep in touch!!!
  Attachments:
  LabView-2012-05-23-14-05-12.png ‏32 KB

• Router ACL and Port ACL

  how to find out after looking at the ACl that this is router acl and this is port acl.
  is there is any syntax difference between these two acl's? or these two look the same.

  how to find out after looking at the ACl that this is router acl and this is port acl.
  It depends on where the ACL is applied:
  Layer-3 interface (SVI, routed port): Router ACL
  Layer-2 interface (physical switch interfaces): Port ACL
  is there is any syntax difference between these two acl's?
  Both support Standard and Extended ACLs, the Port ACLs support MAC Extended ACLs in addition.
  Link: c3560 Configuring Network Security with ACLs

• Standard vs extended withholding tax

  Hi All,
  I would like to seek advice on WHT.
  1) may i know what is the difference between standard and extended? why there are kind of WHT?
  2) standard and extended version is only in sap system or it is globally known in financial and accounting world.
  Thank you.

  Hi,
  These are basic differences
  Withholding Tax
  Classic Withholding Tax (All release)
  Extended Withholding Tax (from release 4)
  Difference between the two
  S.No       Individual Function                                                    Classic         --                  Extended
  1        Withholding Tax on Outgoing payment                              Yes             --                     Yes
  2        TDS on Incoming payment                                                 x                 --                        Yes
  3        TDS at the time of Invoice                                                  x                  --                      Yes
  4        TDS on partial payment                                                     x                  --                        Yes 
  5        No. of withholding tax from each document                     Max 1            --                  Several
  6        TDS basis
            - Net amount                                                                    Yes             --                      Yes
            -Gross amount                                                                 Yes             --                      Yes
            -Tax amount x                                                                  x                 --                        Yes
  7        Rounding rule                                                                    x             --                         Yes
  8        Cash discount consideration                                            x              --                         Yes
  9        Accumulation                                                                    x               --                        Yes
  10      Minimum/Maximum amt and exemption                              x               --                       Yes
  11      Certification Numbering                                                     x                --                       Yes
  12      Calculation Formula                                                          Yes            --                      Yes
  regards,
  Santosh kumar
  Edited by: santosh kumar on Sep 21, 2009 6:29 AM

• Classic and Extended Withholding tax

  Hi,
  Can anybody explain me what is the differance between classic and extended withholding tax.
  Rds,
  javed

  Hi
  Text from SAP documentation
  SAP provides you with two procedures for processing withholding tax:
  "Standard" and extended withholding tax.
  "Standard" withholding tax is the procedure that has always been supported by the system. It offers you the following features:
  Withholding tax for accounts payable
  Withholding tax calculation during payment
  Withholding tax code per vendor line item
  Extended withholding tax provides the following additional features:
  Multiple withholding taxes per customer or vendor line item
  Withholding tax calculation for partial payments
  Thank You,

• I currently have Photoshop CS5 standard, and want to updgrade to CS5 Extended to get the 3D capabilities.  Is this possible, I don't see any CS5 upgrades available?

  I currently have Photoshop CS5 standard, and want to upgrade to CS5 Extended to get the 3D capabilities.  Is this possible, I don't see any CS5 upgrades available?  I tried to download a new trial version as well, but my current operating system will not support it, so I'd like to stick w/ a version of CS5 that will allow me to work in 3D.  What are my options?

  You can upgrade to CS6 extended for $400

• Extended ACL permit ip and allowed ports

                     Hi everyone
  Need to confirm if we have extended ACL with object group below
  access-list xy_access_in extended permit ip object-group xy_subnets object-group cisco_ynetworks
  will above ACL allow all the ports  on the destination object group?
  Thanks
  mahesh

  And to illustrate the situation above
  Situation 1 - Only allow rule exists on the ACL
  object-group network SOURCE
  network-object 10.10.10.0 255.255.255.0
  network-object 10.10.20.0 255.255.255.0
  object-group network DESTINATION
  network-object 10.10.100.0 255.255.255.0
  network-object 10.10.200.0 255.255.255.0
  access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
  The above ACL would
  Allow ALL TCP/UDP source and destination ports
  Allow those from the source networks of SOURCE to the destination networks of DESTINATION
  Situation 2 - Deny rules exist before the allowing rule
  object-group network SOURCE
  network-object 10.10.10.0 255.255.255.0
  network-object 10.10.20.0 255.255.255.0
  object-group network DESTINATION
  network-object 10.10.100.0 255.255.255.0
  network-object 10.10.200.0 255.255.255.0
  access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100
  access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80
  access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
  The above ACL would
  First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
  It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
  It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION
  The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.
  So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.
  In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"
  - Jouni

• Catalyst 3560 Extended ACLs

  I have a VoIP / QoS situation I just discovered on the Cat 3560's. In this case, a particular manufacturer's IP Phones do not tag CoS or DSCP. As such, I have defined extended ACL's/Policies on the Cat 3560 switches to detect and mark traffic from the IP Phones. My policies are designed to identify and mark Call Bearer with DSCP 46 and Call Control traffic with DSCP 26 based upon source address and UDP port. What I see however, is that all VoIP traffic is marked at DSCP 46, and nothing is marked at 26. (It's not so bad having control and bearer marked with DSCP EF, but I like to put call control in a different queue when possible.)
  I am looking for confirmaton of the following theory. I suspect that the 3560's ((C3560-IPBASEK9-M), Version 12.2(25)SED) are not layer 4 aware, thus extended access lists function only as standard access lists - (even though the switch allows me to create an extended ACL). As such, my attempt to identify call bearer and call signalling based upon UDP port will not work.
  Below is the ACL / Policy config. Note that on downstream routers, I only see DSCP 46 and never match DSCP 26 (af31). From the switch, using "sh mls qos interface statistics", I see no traffic with DSCP 26 at all (output attached).
  I believe this is because the switch is only reading the layer 3 portion of the ACL. Since both ACL 101 and ACL 102 have the same layer 3 source adress, then all classified traffic will match class "IngressVoiceBearer" and get marked with 46.
  access-list 101 remark Voice Bearer Signalling
  access-list 101 permit udp 192.168.100.0 0.0.0.255 any eq 5004
  access-list 102 remark Call Control Signalling (udp 5440-5445)
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5440
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5441
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5442
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5443
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5444
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5445
  class-map match-any IngressCallControlSignalling
  match access-group 102
  class-map match-any IngressVoiceBearer
  description All Inbound Voice Bearer traffic on UDP 5004
  match access-group 101
  policy-map IngressVoIP
  class IngressVoiceBearer
  set dscp ef
  class IngressCallControlSignalling
  set dscp af31
  class class-default
  set dscp default
  Switch Output:
  switch#sh mls qos int g0/1 statistics
  GigabitEthernet0/1
  dscp: outgoing
  0 - 4 : 12359302 0 0 0 0
  5 - 9 : 0 0 0 0 0
  10 - 14 : 0 0 0 0 0
  15 - 19 : 0 0 0 0 0
  20 - 24 : 0 0 0 0 0
  25 - 29 : 0 0 0 0 0
  30 - 34 : 0 0 0 0 0
  35 - 39 : 0 0 0 0 0
  40 - 44 : 0 0 0 0 0
  45 - 49 : 0 1837749 0 9716 0
  50 - 54 : 0 0 0 0 0
  55 - 59 : 0 0 0 0 0
  60 - 64 : 0 0 0 0

  Are the ports correct for the call control ACL? In the Cisco VoIP world we use an ACL like this for call control:
  ip access-list extended VOICE-CONTROL
  permit tcp any any range 2000 2002
  permit tcp any range 2000 2002 any
  permit tcp any any range 11000 11999
  permit tcp any any range 1718 1720
  permit udp any any range 1718 1719
  permit udp any any range 2427 2428
  permit tcp any any range 2443 2445
  permit tcp any any range 5555 5599
  But Cisco uses different protocols. Your ACL is configured correctly and the 3560 is supposed to support extended ACLs. Does your 3560 have an enhanced image or a standard image?
  Are these Avaya phones? I have had to do software updates on Avaya phones to get them to behave correctly.
  -Mark

• Use extended ACL with NAT

  Believe it or not, once in a while, i fumble with some basic concepts. Here is one, on our perimeter FW, ASA, there are these NATTING configured.
  I just couldnt figure out why they use extended ACL for the sources? isnt the standard one good enough?
  thanks in advance,
  Han                  
  access-list dmz_nat0_outbound extended permit ip any 1XX.169.0.0 255.255.0.0
  access-list dmz_nat0_outbound extended permit ip any 10.48.240.0 255.255.255.0
  access-list dmz_nat0_outbound extended permit ip any 10.48.243.0 255.255.255.0
  access-list inside_nat0_outbound_5 extended permit ip any 172.17.13.0 255.255.255.0
  access-list inside_nat0_outbound_5 extended permit ip any 192.168.12.0 255.255.255.0
  access-list inside_nat0_outbound_5 extended permit ip any 192.168.221.0 255.255.255.0
  global (Outside) 2 2XX.YY.13.244 netmask 255.255.255.0
  global (Outside) 1 2XX.YY.13.12 netmask 255.255.255.255
  nat (inside) 0 access-list inside_nat0_outbound_5
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (dmz) 0 access-list dmz_nat0_outbound
  nat (dmz) 2 0.0.0.0 0.0.0.0

  Hi Han,
  If you go for the standard ACL then you cannot specify the destination subnets and ports. You can specify only the source and the destination is considered any by default.
  standard ACL:
  access-list 10 standard permit ip 172.16.0.0
  Extended ACL:
  access-list abc permit tcp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 eq 80
  This is how it differs. In your scenario destination is specific rather the source is any. So you have the extended ACL in picture for that. Hope this clears you.
  Please do rate if the given information helps.
  By
  Karthik

• Defination of Classic and Extended Withholding Tax

  Hi Gurus,
  Can anyone please explain the defination and exact use of Classic and Extended Withholding Tax difference.
  Thanks in advance.
  Regards,
  Dev Mahendra

  hello,
  "Standard" withholding tax is the procedure that has always been supported by the system. It offers you the following features:
      Withholding tax for accounts payable
      Withholding tax calculation during payment
      Withholding tax code per vendor line item
  Extended withholding tax provides the following additional features:
     Multiple withholding taxes per customer or vendor line item
     Withholding tax calculation for partial payments
  Regards,
  Sankar

• Why there is a difference between Router and PIX ACL

  Hi,
  I have a very basic question about the differences beween ACL behaviour in PIX and Router.
  In Router if we put an extended acl entry and want to remove an mid entry then either we have to clear the entire ACL or remove the entries all the below.
  Whereas in case of PIX we can remove any of the entry.
  Why this difference is there.
  Would appreciate your quick answers.
  Thanks
  Irshad

  The PIX OS is designed such a way. Anyway, even in routers you can remove a mid entry by configuring named access-lists. You need not clear the entire ACL in this case.
  ip access-list extended ROUTER-ACL
  permit ip host x.x.x.x host y.y.y.y any

• MAC UPGRADE FROM CS4 STANDARD TO CS5 STANDARD OR EXTENDED

  Hello,
  I'm interested to find out how to MAC UPGRADE FROM CS4 STANDARD TO CS5 STANDARD OR EXTENDED. Its my intention to buy the upgrade not thru
  download, but purchasing the dvd's needed eventually used if necessary.
  Thank you

  No, forget it. Adobe only sells current versions. How would you even be able to buy a used upgrade that is tied to someone else's previous version? Makes no sense at all and is clearly a breach of the EULA - whoever may sell you this "upgrade" would have to include all his previous versions leading up to that point, making it a completely independent full license that has no relation whatsoever to your CS4. And you would still have to run the license transfer drill.
  Transfer an Adobe product license
  Mylenium

• Can I upgrade Photoshop CS6 from standard to extended without reinstalling?

  Hello,
  I have Photoshop CS6 Standard already installed on my Mac (OS 10.8). My employer has just purchased the extended version for me and I would like to upgrade. I have a valid serial number to do this.
  I understand that the software is the same and depending on the serial number it can unlock the extended portion of CS6. Is there any way of upgrading the installed version to extended by re-intering the new serial number or should I just install a second copy of PS CS6 and have 2 PS CS6 (one standard and one extended)?
  Any suggestions would be helpful.
  Thank you.

  Hi,
  Please follow the below mentioned steps:
  Open Photoshop
  Choose Help > Deactivate
  Select Deactivate Permanently from this computer after deactivation completes
  Click Deactivate.
  Reopen Photoshop. You are prompted for a serial number. Enter the Extended serial number.
  Regards,
  Ashutosh

• Extended ACL Issue

  I have a question, I am trying to make an extended ACL to deny HTTP, Telnet, and FTP traffic from the internet to PC1 in the one exercise I am doing.
  I made the following ACL and applied it to the loopback interface on R2 (where the ISP is coming in from the "cloud") PC1 is connected to R1 which is obviously connected to R2.
  ip-access-list extended ACL_TCP
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 established
  permit tcp any any established
  Is there a better way to do this? Does this extended ACL work for my purpose?

  What direction did you apply this? I'm assuming in the inbound direction?
  Take the established keyword off. That's generally to allow return traffic on an interface that's denying traffic.
  Try the following:
  ip access-list ext ACL_TCP
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq http
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq ftp
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq telnet
  Apply to your loopback:
  ip access-group ACL_TCP in
  Next question:
  Why do you have an acl applied to your loopback and not the physical interface that your internet connection comes in on? Normally, you would apply to say s0/0 (serial interface) that has your public ip assigned to it. That may be why it's not working. You actually have the acl applied to LoopbackX?
  HTH,
  John