To be more precise when matching a certain network traffic, extended access lists are used. With extended access lists, you can match more information, such as:
• source and destination IP address
• type of TCP/IP protocol (TCP, UDP, IP…)
• source and destination port numbers
Two steps are required to configure extended access lists:
1. configure extended access lists using the following command:
R1(config) access list NUMBER permit|deny IP_PROTOCOL SOURCE_ADDRESS WILDCARD_MASK [PROTOCOL_INFORMATION] DESTINATION_ADDRESS WILDCARD_MASK PROTOCOL_INFORMATION
2. apply an access list to an interface using the following command:
R1(config) ip access-group ACL_NUMBER out
NOTE – extended access lists numbers are in ranges from 100 to 199 and from 2000 to 2699
To better understand the usefulness of extended access lists, consider the following example.
We want Users (network 10.0.0.0/24) to be able to access server S2 (IP address 192.168.0.1) and prevent them access to server S1 (IP address 172.16.0.1/24). First, we need to configure an access list to permit Users the access to server S2:
Next, we need to deny Users the right to access S1 by using the deny statement:
Lastly, we need to apply the access list to the interface on R1:
Here is another example of using extended access lists:
Again, we have Users network (10.0.0.0/24). On the right side, we have a server that serves as a web server, listening on port 80. We need to permit Users to access web sites on S1, but we also need to deny other type of access, for example a Telnet access.
First, we need to allow traffic from Users network to the web server port of 80. We can do that by using the following command:
By using the TCP keyword, we can filter packets by source and destionation ports. In the example above, we have permited traffic originating from the 10.0.0.0 network to the host 172.16.0.1 on port 80. The last part of the statement, eq 80, specifies the destination port of 80.
Now we need to disable telnet traffic from the network 10.0.0.0 to 172.16.0.1. To do that, we need to create a deny statement:
Next, we need to apply our access list to the interface:
NOTE – since at the end of each access list there is an explicit deny all statement, the second ACL statement wasn’t really necessary. After applying an access list, every traffic not explicitly permited will be denied.