To be more precise when matching a certain network traffic, extended access lists are used. With extended access lists, you can match more information, such as:
- source and destination IP address
- type of TCP/IP protocol (TCP, UDP, IP…)
- source and destination port numbers
Two steps are required to configure extended access lists:
1. configure extended access lists using the following command:
(config) access list NUMBER permit|deny IP_PROTOCOL SOURCE_ADDRESS WILDCARD_MASK [PROTOCOL_INFORMATION] DESTINATION_ADDRESS WILDCARD_MASK PROTOCOL_INFORMATION
2. apply an access list to an interface using the following command:
(config) ip access-group ACL_NUMBER in | out
To better understand the usefulness of extended access lists, consider the following example.
We want Users from the network 10.0.0.0/24 to be able to access the server S2 (IP address 192.168.0.1) and prevent them from accessing server S1 (IP address 172.16.0.1/24). First, we need to configure an access list to permit Users the access to server S2:
Next, we need to deny Users the right to access S1 by using the deny statement:
Finally, we need to apply the access list to the interface on R1:
Here is another example of using extended access lists. In this example we will use extended ACLs to filter traffic by the port used.
Again, we have the Users network (10.0.0.0/24). On the right side, we have a server that serves as a web server, listening on port 80. We need to permit Users to access web sites on S1, but we also need to deny other type of access, for example the Telnet access.
First, we need to allow traffic from Users network to the web server port of 80. We can do that by using the following command:
By using the TCP keyword, we can filter packets by source and destination ports. In the example above, we have permited traffic originating from the 10.0.0.0 network to the host 172.16.0.1 on the port 80. The last part of the statement, eq 80, specifies the destination port of 80.
Now we need to disable telnet traffic from the network 10.0.0.0 to 172.16.0.1. To do that, we need to create a deny statement:
Next, we need to apply our access list to the interface: