Hello, am still a little bit confused about access list. My concern is, i don't really know when should i use standard IP access list or Extended IP access list. Example:
Our access-list needs to allow host C-192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80).

answer:

Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.243.23 eq 80

So, how did they come up with access-list 100 permit? How to understand which number to use?

Please need help.

Look there are two types of ACLs

Standard and extended

standard ACLs starts from number 1 to 99 and they filter trafic based on source address where as extended ACLs starts from number 100 to 199 and filter trafic based on source as well as destination address and port no. too.
so in the example we need to allow a host to access a finance web server. so we need to filter based on source and as well as destination with port no. so we need to use an extended ACL. we cant acomplish this with standard acl

To understand fully please go through the Todd's Book chapter 10.

Extended ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc. Needless to say, it is very grangular and allows you to be very specific. So u can not achieve your specified goal by using a standard access list which only filters traffic based only on a source IP address,

Cheerz!

Ok, i got it, but why put access-list 100 permit? why not access-list 1 permit?

so can we just change the 100 to 1 or it just the rule?

For standard access list you can only use numbers from 1 to 99 or (1300 to 1999) and for extended access list you can only use 100 to 199 or (2000 to 2699).

Hopes this clears averything and please read Todd's chpt 10 in the study guide, you'll be amazed how informative it is.

Cheerz!

The tyoe of ACL (standard or extended) you use is dependant on what you want to filter. Extended ACLs have much more flexibility than standard as they allow finer control, and they can be used to limit the packets sent on the network. Standard ACLs should be implemented closest to the destination so they filter only necessary packets. Because of this, network bandwidth is used up as the packet travels across the network only to get dropped at the end.

ACLs are used for more than dropping/forwarding packets, however, so the choice of using standard or extended ACLs becomes more important as you progress beyond CCNA level.

Standard ACLs

ACLs numbered 1-99 or 1300-1999 are standard IPv4 and IPv6 ACLs. Standard ACLs match packets by examining the source IP address field in the IP header of that packet. These ACLs are used to filter packets based solely on Layer 3 source information.

Standard ACLs permit or deny traffic based on source address. This is the command syntax for configuring a standard numbered IP ACL:

Router(config)# access-list {1-99} {permit | deny} source-addr [source-wildcard]

The first value specifies the ACL number. For standard ACLs, the number range is 1 to 99. The second value specifies whether to permit or deny the configured source IP address traffic. The third value is the source IP address that must be matched. The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range.

Extended ACLs

Extended ACLs match packets based on Layer 3 and Layer 4 source and destination information. Layer 4 information can include TCP and UDP port information. Extended ACLs give greater flexibility and control over network access than standard ACLs. This is the command syntax for configuring an extended numbered IP ACL:

Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-wildcard] [operator operand] destination-addr [destination-wildcard] [operator operand] [established]

Similar to standard ACLs, the first value specifies the ACL number. ACLs numbered 100-199 or 2000-2699 are extended ACLs. The next value specifies whether to permit or deny according to the criteria that follows. The third value indicates protocol type. The administrator must specify IP, TCP, UDP, or other specific IP sub-protocols. The source IP address and wildcard mask determine where traffic originates. The destination IP address and its wildcard mask are used to indicate the final destination of the network traffic. Although the port parameter is defined as optional, when the destination IP address and mask are configured, the administrator must specify the port number to match, either by number or by a well-known port name, otherwise all traffic to that destination will be dropped.

All ACLs assume an implicit deny, meaning that if a packet does not match any of the criteria specified in the ACL, the packet is denied. Once an ACL is created, at least one permit statement should be included or all traffic will be dropped once that ACL is applied to an interface.

Both standard and extended ACLs can be used to describe packets entering or exiting an interface. The list is searched sequentially. The first statement matched stops the search through the list and defines the action to be taken.

Once the standard or extended numbered IP ACL is created, the administrator must apply it to the appropriate interface.

This is the command to apply the ACL to an interface:

Router(config-if)# ip access-group access-list-number {in | out}

This is the command to apply the ACL to a vty line:

Router(config-line)# access-class access-list-number {in | out}